Skip to main content
Contact a Moderator

Question

1
Replies
173
Views
 Balamurali Krishnan (BalamuraliKrishnan)
HCL Technologies Ltd
Senior Technical Architect
HCL Technologies Ltd
IN
BalamuraliKrishnan Member since 2020 3 posts
HCL Technologies Ltd
Posted: October 5, 2020
Last activity: October 30, 2020
Posted: 5 Oct 2020 11:22 EDT
Last activity: 30 Oct 2020 9:38 EDT

SQL Injection

Report

https://community.pega.com/sites/default/files/help_v731/security/best-practices/sec-security-guidelines-custom-HTML-ref.htm

>> Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. <<

Can some help to understand, to avoid SQL injection we should not use Dynamic SQL statements which is parameterized to use User Input. Am i right?

If my Connect SQL is not having parameterized queries of User Input. Is it safe to use? or should we always prefer to use Obj methods.

Pega Platform Security
Reply
Posted: 11 months ago
Posted: 30 Oct 2020 9:38 EDT
Brad Tainter (Br@dTainter_GCS)
PEGA
Client Solutions Fellow
Pegasystems Inc.
US
Report

Hi Balamurali,

As per https://community.pega.com/knowledgebase/articles/security/84/security-guidelines-custom-html, Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection.  So yes to your first question.  Regarding your second question, the Obj- methods are preferred.  You just want to avoid Connect SQL with dynamic parameters as that could potentially be manipulated to cause an injection.

Reply

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice