Best practices to mitigate SQL injections on forms

Hi,

Are there any best practices when creating forms to mitigate SQL injections?

We can do a validation on text fields to make sure certain character strings are not present but I'm not sure if that is a best practice or does the Appian cloud environment have application firewalls to mitigate this kind of thing from happening.

Any input is appreciated.

Thanks,

Gary

 

  Discussion posts and replies are publicly visible

Parents
  • SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet.

    Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you.

    If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.
Reply
  • SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet.

    Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you.

    If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.
Children
No Data