[AmirShapourian]

hi
I encountered a problem while using the API
I used the dropdownlist in dynamic forms and wrote a query for it to list cities by states as follows

select id , name from sys_cities where parent_id =@#FK_ProvinceID ORDER BY `name`

But when using the web service, it becomes SQL Injection as follows

url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971 union select usr_uid , usr_lastname from USERS","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Are there any settings to solve this problem?

[programerboy]

Hi,
You can write your query in one of the following ways to avoid this problem:

Code: Select all

select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

or

Code: Select all

select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

https://pmlearning.ir
Thanks

[AmirShapourian]

hi
thanks for reply
this code solved my problem :
select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

But this code is still vulnerable this way
select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

=>
url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971' union select usr_uid , usr_lastname from USERS #","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

[programerboy]

Hi,
I tested with the latest version of the community version, 3.5.8, and both methods I offered are correct.

https://pmlearning.ir
Thanks

[AmirShapourian]

hi
If the query is entered as follows, penetration will be possible through SQL Injection

select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`