SQL injection prevention
This is an attention message.
This article is relevant only for version 10 of the beqom Web Application.
In order to prevent malicious SQL injections in the beqom application, the middleware used by beqom to protect the application has been updated following the discovery of a number of vulnerabilities in the API endpoints that communicate with the application.
The security improvements have been applied to the following areas:
- Ad hoc reports
- Ad hoc report models
- Admin
- Data grids (and staging data grids)
- Data administration
- Forms
- Hierarchy administration
- Info Hub
- Integration
- Monitor administration
- Organization
- Process
- Process administration
- Process budget widget (custom stored procedure)
- Process reports
- Process filters
- Rules
- Synchronization
This is a warning message.
As a side effect of this security improvement, the following limitations are now observable in the application:
Text that contains strings typically found in SQL statements, such as ; , ,( , ) , SELECT , ALTER , CREATE , DELETE , DROP , INSERT , EXEC , EXECUTE , UNION , WAITFOR is prohibited.
It is not possible to enter text between chevrons ( < > ), because the application will consider this string as a tag.
This is an note/information message.
It is possible to bypass the SQL injection check for the definition of rule/population conditions. To do so, check the Ignore Parameter Validation on Rules and Populations box under Admin Portal > (Undefined variable: CompoVariables_WA_Alternate."Admin") > Technical Admin > Settings Management > Global.