Interviewer - Server > Configuration and customization > Web configuration files > Settings for the Participants activity > Validating select and update commands
 
Validating select and update commands
In contrast to the standard method of selecting a updating records, which uses an expression builder). the advanced method allows users to enter free-form text in the Select and Update boxes. In order to validate this information, Participants checks the execution plan for malicious input to ensure that:
The correct type of command is being executed; that is, that a Select or Update has been requested.
There is only one command being executed.
The following example shows an attempt to inject malicious SQL into the WHERE clause of a SELECT statement. It will fail because it produces two commands rather than one:
SELECT * FROM table_name WHERE Queue='FRESH'; DROP table MySampleTable
The execution plan validation specified in the Participants Web.config file should be sufficient to guard against most SQL injection. It is:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n"/>
and it prevents SHOWPLAN_ALL, SHOWPLAN_TEXT, carriage return (\r), and new line (\n) being present in the SELECT or UPDATE strings. SHOWPLAN_ALL and SHOWPLAN_Text are specified as invalid because they can be used to stop Participants being able to examine the validation plan.
You can define extra validation to prevent other text patterns occurring in the SELECT or UPDATE strings in advanced mode. Just append the text pattern to the existing definition for advanced validation. For example, to prevent the word MyText appearing in a SELECT or UPDATE string, type:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n|MyText"/>
This validation happens on both the client and the server computers.
See also
Settings for the Participants activity