Serious problem of scriptcase security (Urgent)

Every one can inject code SQL in select or radio or checkbox field value (See attachment).
i use just a select command, the hackers can use any command as he wishes.
this issue exists in all fields has an ajax lookup

I haven’t done it myself … but have you tried the macro sc_sql_injection?

Ex. 1: Protecting a local variable:
$field_protect = sc_sql_injection({my_field});

I’m agree with if we talk about events
but in lookup field PHP code doesn’t work, we can put only sql code

Use PDO when setting up your database connection.

Have a look at this article:

its a general issue
you can test on your generated applications if you have a lookup field, every one can inject sql code on your field, example on picture above.
this example is from scriptcase samples on their website.

I will do that. In the interim … here’s a php article on PDO with MSSQL.

My guess is that SC, when building samples, are showing the features of the software … and the sample is just a quick and dirty little thing to show us that feature … I know that in most of their samples that I’ve looked at they are using a SQLITE database - which is nothing but a text file really. I have yet to take a sample from SC and use it right out of the box; lots of coding to make it do what I want.

Thank you for your time,
Me too i make a lots of coding to make what i want, but in ajax lookup function (Not a macro picture below) you can’t code anything because you do it via scriptcase interface and you can’t put any php code.

how can i protect my {region_candidat} variable in this case.

I will play with it and see if I can reproduce the issue. I haven’t encountered anything like that. I am using a PDO driver on mySQL - but I also have MSSQL here so maybe I’ll make a connection to that.

you can test also with mysql, it’s a serious problem
for mysql and linux i fix the problem with centos firewall (it bloc any sql javascript code exists in http request) but windows and MSSQL i have this issue