Date: Thu, 28 Mar 2024 08:11:23 +0000 (UTC) Message-ID: <125429695.138019.1711613483975@ip-10-0-0-39.us-west-2.compute.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_138018_1271178270.1711613483974" ------=_Part_138018_1271178270.1711613483974 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Prevent SQL injection
When using Hash Variabl= e that uses URL parameter or user-inputted value in the SQL query, ensu= re that these hash variable(s) are escaped in the que= ry!
Make use of hash variable escape keywords, see =
Hash Variable - Escaping the Resultant Hash Variable.
Example of VULNERABLE query:
SELECT * FROM app_fd_sample_table WHE= RE c_value =3D '#requestP= aram.id#'
To fix this, use ?sql hash variable escape:
SELECT * FROM app_fd_sample_table WHE= RE c_value =3D '#requestParam.id?sql#'
Database SQL Query List Action allows you to perform SQ= L queries on one (a row action) or more records (a bulk action) in your dat= alist. You can specify which database to perform the SQL function, either t= he current Joget database (default datasource) or a custom datasource (exte= rnal database).
Database SQL Query List Action can be used to delete records or perform = an update on one or more records based on user selection in the datalist ch= eckboxes.
Figure 1 : Database SQL Query Action Menu
Figure 2 : Database SQL Query List Action
Properties
Name | Description |
---|---|
Label | Datalist button lab= el. |
Confirmation Message= td> | Confirmation messag= e before performing action, for example "Are you sure?". |
Datasource | Target database to execute SQL statements on. Choices:-
|
Custom JDBC Driver= |
JDBC driver name. Example values:
Only applicable to "Custom Datasourc= e" option. |
Custom JDBC URL |
Database connection URL. Example: jdbc:mysql://localhost:3306/jw= db Only applicable to "Custom Datasourc= e" option. |
Custom JDBC Userna= me | Database username. Example: root= Only applicable to "Custom Datas= ource" option. |
Custom JDBC Passwo= rd |
Specified database user's password. Only applicable to "Custom Datasourc= e" option. Test the connection parameters Click on the "Test Connection" button at the bottom of the page to quick= ly test out your configurations. |
Query |
If a column name contains reserved keywords, do ensure it is encapsulate= d properly. For example for MySQL, if the column identifier itself contains a dot sy= mbol ( . ), it should be encapsulated like this: SELECT `= myAppName.myColumn` FROM app_fd_myTable; Insert your SQL statement here. Use syntax like {id} in query to inject = the selected row key. Use {uuid} to generate a unique id (or primary key). = Examples: Example
INSERT IN= TO app_fd_sample (id, c_clicked)=20 VALUES ( {uuid}, {id}=20 ) Example
UPDATE app_fd_sample=20 SET c_clicked =3D CONCAT(c_clicked, ',', {id})=20 WHERE id =3D {id} Example
DELETE FROM app_fd_myTable=20 WHERE id =3D {id} Table & Column Naming
How it works? The special parameters {id} and {uuid} will be replaced with actual valu= es through the use of PreparedSt= atement. As you can see from the example above, there is no need t= o encapsulate both of these special keywords with quotes. |
APP_datalist_using_jdbc_dx_= kb.jwa