Question

Execute SQL select query on an external database

3

Hi, In the How to execute an SQL select query on an external database the remarks section points out: Proper security must be applied as this action can allow SQL injection in your Mendix application. What is considered proper security in this context? In my opinion that would be by using parameterized SQL, will that be possible with the current implementation of 'Execute query'? If not, shouldn't it be? With kind regards, stephan

asked 2016-07-04

Stephan Bruijnis

2 answers

0

Hi Stephan,

Proper security is indeed a broad understanding. What's important here is that you make sure the security is correctly configured on entity level for the concerning entities and that the concerning microflows have the setting "Apply entity security" set to "yes"

answered 2016-07-04

Sebastiaan van der Plaat

Andrej Koelewijn · Accepted Answer · 2016-07-04

Currently you need to make sure the parameters provided aren't vulnerable to dependency injection. Basically this means: do not just concatenate user input. If you are generating the parameters yourself you can make sure there is no sql injection happening.

We will improve this in a future version of the database connector: once we have string template parameters for java actions, jdbc bind parameters will be used.