Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: ArturoRobles

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
#829402
hi
I encountered a problem while using the API
I used the dropdownlist in dynamic forms and wrote a query for it to list cities by states as follows

select id , name from sys_cities where parent_id =@#FK_ProvinceID ORDER BY `name`

But when using the web service, it becomes SQL Injection as follows

url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971 union select usr_uid , usr_lastname from USERS","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Are there any settings to solve this problem?
#829420
hi
thanks for reply
this code solved my problem :
select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

But this code is still vulnerable this way
select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

=>
url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971' union select usr_uid , usr_lastname from USERS #","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Hello, As mentioned in the subject, I would like […]

Hi sir, i I've succeeded load dynaform with sessi[…]

Solved my problem by adapting the solution of thi[…]

Hi, I have an issue to insert data (SQL Server) w[…]