Validating select and update commands
The advanced method enables you to enter free-form text in the Select and Update boxes. To validate this information, Participants checks that:
▪the correct type of command is being executed; that is, that a Select or Update has been requested, and
▪only one command is being executed.
The following example shows an attempt to inject malicious SQL into the WHERE clause of a SELECT statement. It fails because it produces two commands rather than one:
SELECT * FROM table_name WHERE Queue='FRESH'; DROP table MySampleTable
The execution plan validation specified in the Participants Web.config file should be sufficient to guard against most SQL injection. It is:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n"/>
This validation prevents SHOWPLAN_ALL, SHOWPLAN_TEXT, carriage return (\r), and new line (\n) being present in the SELECT or UPDATE strings. SHOWPLAN_ALL and SHOWPLAN_Text are specified as invalid because they can be used to stop Participants being able to examine the validation plan.
You can define extra validation to prevent other text patterns occurring in the SELECT or UPDATE strings in advanced mode. To do this, append the text pattern to the existing definition for advanced validation. For example, to prevent the word MyText appearing in a SELECT or UPDATE string, type:
<add key="advancedvalidation" value="SHOWPLAN_ALL|SHOWPLAN_TEXT|\r|\n|MyText"/>
This validation happens on both the client and the server computers.
See also