Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: ArturoRobles

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
#829402
hi
I encountered a problem while using the API
I used the dropdownlist in dynamic forms and wrote a query for it to list cities by states as follows

select id , name from sys_cities where parent_id =@#FK_ProvinceID ORDER BY `name`

But when using the web service, it becomes SQL Injection as follows

url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971 union select usr_uid , usr_lastname from USERS","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Are there any settings to solve this problem?
#829420
hi
thanks for reply
this code solved my problem :
select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

But this code is still vulnerable this way
select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

=>
url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971' union select usr_uid , usr_lastname from USERS #","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}
pmusers.com

Hi, pmusers.com is a good resource when it comes t[…]

How to "un-stuck" a case

Thanks a lot. The example here is my solution for […]

Hello everyone, sometimes I have the following Pr[…]

Language toggle on the Dynaform

The Language option is at the top of the Dynaform […]