Hi, As a starter some validation of values using Formatting and Validation rules should prevent a few attacks since a REGEX & string lenght should tightly limit all your request parameters.
Keep in mind just like Java: "The important thing to remember is to never construct SQL statements using string concatenation of unchecked input values." (source: http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java ) Other things are more complex validation rules in DynaMents or Python to validate no standard attacks are underway. You can create an Iolet to call a stored proceedure. Best, Tim Davis - OpenText Services On Dec 20, 5:17 am, Karthikeyan Sivanantham <[email protected]> wrote: > Hi All, > > How to avoid SQL injection? > > Below is the code we are using > > <rde-dm:rdb mode="update" alias="DB-read" sql="UPDATE <table_name> > <field1>='[#request:item1#]',<field2>=TO_DATE('[#request:date#]','dd- > Mon-yyyy hh:mi:ss AM') WHERE POLL_ID='[#request:pollId#]'"/> > > SQL injection has been done through the above code. How to avoid the > same? What are the changes can be done in the above code to avoid SQL > injection. -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/reddot-cms-users?hl=en.
