Leon,
I'm glad you brought this up. It has always been a question in the back of my
mind.
-Adrian
Leon Torres wrote:
Ok I just tried to do it and it doesn't work because ofbiz validates the
field names, which is great. Here's what I tried:
opportunitiesOrderBy=opportunityStageId;delete%20from%20party%20where%201=1
Results in:
Target exception: org.ofbiz.entity.GenericModelException: Field with
name opportunityStageId;delete from party where 1=1 not found in the
PartyRelationshipAndSalesOpportunity Entity
So there is no need to worry about using request parameters directly in
the entity engine API.
- Leon
Leon Torres wrote:
How robust is the entity engine API against sql injection attacks?
Consider the following scenario:
// get the field to order by from the request parameters
orderByField = parameters.get("orderByField");
if (orderByField == null || orderByField.trim().length() == 0) {
orderByFeild = "partyId"; // default
}
...
parties = delegator.findByAnd("Party", conditions,
UtilMisc.toList(orderByField)); // order by this field
What happens if the user tries to inject SQL into the orderByField
parameter? Is there a risk? Should I be protecting myself by
validating the orderByField parameter or does ofbiz/JDBC already do this?
- Leon
