5 Replies Latest reply: Sep 18, 2013 2:41 PM by Timo Hahn RSS

    Query By Example and security issues

    user754810

      HI,

      I have started looking at security issues in our ADF application.


      Is the default implementation of Query By Example (QBE) on a table safe from Cross Site Scripting and SQL Injection?

      In other words, can a user enter some value in a QBE input field that can either:

      - execute a malicious script (CSS)

      Or

      - somehow change the underlying will change the SQL query

      I am more worried about SQL Injection as QBE takes input from a web user, and makes a corresponding SQL query to the database.


      Are there any ways to prevent any of these?


      Thanks