cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about the Community Ranking System, a fun gamification element of the PTC Community. X

Best practices for preventing SQL Injection attack in customizations

avillanueva
22-Sapphire I
22-Sapphire I
‎Nov 02, 2023 08:45 AM
‎Nov 02, 2023 08:45 AM

Best practices for preventing SQL Injection attack in customizations

I think one of the first exercises when customizing Windchill is making use of Queryspec API to search for objects in the database. Given a number string, find me the Parts that match and do something with them. If we are taking input from the browser, what consideration must we do so that we do not open ourselves up to SQL Injection?  Does the API already handle this for us internally? 

 

Given that I am providing the where clause a string value directly from the user's input, how do we make sure it does not contain another SQL statement? Is that where its done, checking before adding to where clause? I know that we can put checks on any exceptions that are thrown from bad input that can expose data. Just curious where developer's responsibilities lie and what PTC has already handled.

Labels:
0 Kudos
Notify Moderator
2 REPLIES 2
jbailey
17-Peridot
17-Peridot
(To:avillanueva)
‎Nov 28, 2023 07:38 AM
‎Nov 28, 2023 07:38 AM

My best practice to this was to not customize:-)

 

Surprised you haven't got any suggestions on this... Figured it would start a healthy discussion!

0 Kudos
Notify Moderator
avillanueva
22-Sapphire I
22-Sapphire I
(To:jbailey)
‎Nov 28, 2023 07:40 AM
‎Nov 28, 2023 07:40 AM

Thanks, not sure why your answer reminded me of WOPR from Wargames. "Strange game. The only winning move is not to play."

Notify Moderator
Top Tags