Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.

Moderator: ArturoRobles

Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
#829402
hi
I encountered a problem while using the API
I used the dropdownlist in dynamic forms and wrote a query for it to list cities by states as follows

select id , name from sys_cities where parent_id =@#FK_ProvinceID ORDER BY `name`

But when using the web service, it becomes SQL Injection as follows

url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971 union select usr_uid , usr_lastname from USERS","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}

Are there any settings to solve this problem?
#829420
hi
thanks for reply
this code solved my problem :
select id , name from sys_cities where parent_id = @@FK_ProvinceID ORDER BY `name`

But this code is still vulnerable this way
select id , name from sys_cities where parent_id = '@#FK_ProvinceID' ORDER BY `name`

=>
url : api/1.0/workflow/project/3810212626028ab03488017019616799/process-variable/FK_CityID/execute-query
parameters :
{"FK_ProvinceID":"81971' union select usr_uid , usr_lastname from USERS #","field_id":"FK_CityID","dyn_uid":"5566238366028af11c92f01059083231","app_uid":"26563220960fe7cd17ea610010200362","del_index":1}
How to change login labels

Hi, You can go to Admin->Settings->Language […]

Hide / Show based on selection

Hi, I have write a function for show and hide fi[…]

It happens no matter what version of moodle I use.[…]

Thank you kirkwg for your response. I will try thi[…]