Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


titlePrevent SQL injection

When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query!

Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.

Example of VULNERABLE query:

SELECT * FROM app_fd_sample_table


WHERE c_value = ''

To fix this, use ?sql hash variable escape:

SELECT * FROM app_fd_sample_table WHERE c_value = ''


JDBC Datalist Action allows you to perform SQL queries on one (a row action) or more records (a bulk action) in your datalist. You can specify which database to perform the SQL function, either the current Joget database (default datasource) or a custom datasource (external database).