Question
1
Replies
67
Views
Accenture
Posted: October 5, 2020
Last activity: October 30, 2020
SQL Injection
>> Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. <<
Can some help to understand, to avoid SQL injection we should not use Dynamic SQL statements which is parameterized to use User Input. Am i right?
If my Connect SQL is not having parameterized queries of User Input. Is it safe to use? or should we always prefer to use Obj methods.
Hi Balamurali,
As per https://community.pega.com/knowledgebase/articles/security/84/security-guidelines-custom-html, Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. So yes to your first question. Regarding your second question, the Obj- methods are preferred. You just want to avoid Connect SQL with dynamic parameters as that could potentially be manipulated to cause an injection.