Question

How to use parameterized queries in order to extract, modify, delete or insert data to the database?

0

My application is using XPath function and got security issue by it displays table and field name when press F12 on browser so that lead to SQL injection. I’ve read some topic and got a clue that if use parameterized queries in order to extract, modify, delete or insert data to the database may resolve this issue. But I don’t know how to do parameterized queries and how to apply it with XPath. Anyone, please advise.

asked 2022-11-23

Sumonta Lee

1 answers

Marco Spoel · Answer 1 · 2022-11-23

Hi Sumonta,

The F12 view is displaying the table names. It has the security context of the user logged in (or anonymous user if enabled). If your Entity Access settings are secure, so is your data. Using XPath in the Entity Access settings helps.

Writing validation Microflows on the string that needs to be stored can be used to detect abnormalities and to refuse the storing of the data server-side.

If you are using the SQL Connector to interact data with another database, you can use this blog https://www.mendix.com/blog/mendix-8-10-making-life-better/ to find your answers.

Go Make It.