Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Balamurali Krishnan (BalamuraliKrishnan)
HCL Technologies
Senior Technical Architect
HCL Technologies
NL
BalamuraliKrishnan Member since 2020 6 posts
HCL Technologies
Posted: Oct 5, 2020
Last activity: Oct 30, 2020
Posted: 5 Oct 2020 11:22 EDT
Last activity: 30 Oct 2020 9:38 EDT
Closed

SQL Injection

https://community.pega.com/sites/default/files/help_v731/security/best-practices/sec-security-guidelines-custom-HTML-ref.htm

>> Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. <<

Can some help to understand, to avoid SQL injection we should not use Dynamic SQL statements which is parameterized to use User Input. Am i right?

If my Connect SQL is not having parameterized queries of User Input. Is it safe to use? or should we always prefer to use Obj methods.

To see attachments, please log in.
Pega Platform
Security

Posted: 4 years ago
Posted: 30 Oct 2020 9:38 EDT
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi Balamurali,

As per https://community.pega.com/knowledgebase/articles/security/84/security-guidelines-custom-html, Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection.  So yes to your first question.  Regarding your second question, the Obj- methods are preferred.  You just want to avoid Connect SQL with dynamic parameters as that could potentially be manipulated to cause an injection.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice