Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: ArturoRobles

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
#829402
hi
I encountered a problem while using the API
I used the dropdownlist in dynamic forms and wrote a query for it to list cities by states as follows

select id , name from sys_cities where parent_id =@#FK_ProvinceID ORDER BY `name`

But when using the web service, it becomes SQL Injection as follows

url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971 union select usr_uid , usr_lastname from USERS","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Are there any settings to solve this problem?
#829420
hi
thanks for reply
this code solved my problem :
select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

But this code is still vulnerable this way
select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

=>
url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971' union select usr_uid , usr_lastname from USERS #","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

In today's world of non stop spam messages it is b[…]

Hello, kirkwg thank you for your response, I tri[…]

The Hostnetindia provides best and Cheap]Linux [/c[…]

Thank you so much for you help kirkwg!