5 Replies Latest reply: Sep 18, 2013 2:41 PM by Timo Hahn RSS

    Query By Example and security issues



      I have started looking at security issues in our ADF application.

      Is the default implementation of Query By Example (QBE) on a table safe from Cross Site Scripting and SQL Injection?

      In other words, can a user enter some value in a QBE input field that can either:

      - execute a malicious script (CSS)


      - somehow change the underlying will change the SQL query

      I am more worried about SQL Injection as QBE takes input from a web user, and makes a corresponding SQL query to the database.

      Are there any ways to prevent any of these?