Validating select and update commands
In contrast to the standard method of selecting and updating records, which uses an expression builder, the advanced method enables you to enter free-form text in the Select and Update boxes. To validate this information, Participants checks that:
▪The correct type of command is being executed; that is, that a Select or Update has been requested.
▪There is only one command being executed.
The following example shows an attempt to inject malicious SQL into the WHERE clause of a SELECT statement. It fails because it produces two commands rather than one:
SELECT * FROM table_name WHERE Queue='FRESH'; DROP table MySampleTable
The execution plan validation specified in the Participants Web.config file should be sufficient to guard against most SQL injection. It is:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n"/>
This validation prevents SHOWPLAN_ALL, SHOWPLAN_TEXT, carriage return (\r), and new line (\n) being present in the SELECT or UPDATE strings. SHOWPLAN_ALL and SHOWPLAN_Text are specified as invalid because they can be used to stop Participants being able to examine the validation plan.
You can define extra validation to prevent other text patterns occurring in the SELECT or UPDATE strings in advanced mode. Just append the text pattern to the existing definition for advanced validation. For example, to prevent the word MyText appearing in a SELECT or UPDATE string, type:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n|MyText"/>
This validation happens on both the client and the server computers.
See also