Question

1
Replies
67
Views
Close popover
Balamurali Krishnan (BalamuraliKrishnan)
Accenture

Accenture
SG
View Profile
BalamuraliKrishnan Member since 2020 2 posts
Accenture
Posted: October 5, 2020
Last activity: October 30, 2020

SQL Injection

https://community.pega.com/sites/default/files/help_v731/security/best-practices/sec-security-guidelines-custom-HTML-ref.htm

>> Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. <<

Can some help to understand, to avoid SQL injection we should not use Dynamic SQL statements which is parameterized to use User Input. Am i right?

If my Connect SQL is not having parameterized queries of User Input. Is it safe to use? or should we always prefer to use Obj methods.

Pega Platform Security
Close popover
Posted: 2 months ago
Close popover
Brad Tainter (Br@dTainter_GCS)
PEGA
Client Solutions Fellow
Pegasystems Inc.
US
View Profile

Hi Balamurali,

As per https://community.pega.com/knowledgebase/articles/security/84/security-guidelines-custom-html, Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection.  So yes to your first question.  Regarding your second question, the Obj- methods are preferred.  You just want to avoid Connect SQL with dynamic parameters as that could potentially be manipulated to cause an injection.
Share this page Share via LinkedIn Copying...
Copied!