Serious problem of scriptcase security (Urgent)

Every one can inject code SQL in select or radio or checkbox field value (See attachment).
i use just a select command, the hackers can use any command as he wishes.
this issue exists in all fields has an ajax lookup

I haven’t done it myself … but have you tried the macro sc_sql_injection?

Ex. 1: Protecting a local variable:
$field_protect = sc_sql_injection({my_field});

I’m agree with if we talk about events
but in lookup field PHP code doesn’t work, we can put only sql code

Use PDO when setting up your database connection.
image

Have a look at this article:

I use MSSQL
its a general issue
you can test on your generated applications if you have a lookup field, every one can inject sql code on your field, example on picture above.
this example is from scriptcase samples on their website.

I will do that. In the interim … here’s a php article on PDO with MSSQL.
https://www.php.net/manual/en/ref.pdo-dblib.php

My guess is that SC, when building samples, are showing the features of the software … and the sample is just a quick and dirty little thing to show us that feature … I know that in most of their samples that I’ve looked at they are using a SQLITE database - which is nothing but a text file really. I have yet to take a sample from SC and use it right out of the box; lots of coding to make it do what I want.

Thank you for your time,
Me too i make a lots of coding to make what i want, but in ajax lookup function (Not a macro picture below) you can’t code anything because you do it via scriptcase interface and you can’t put any php code.


how can i protect my {region_candidat} variable in this case.

I will play with it and see if I can reproduce the issue. I haven’t encountered anything like that. I am using a PDO driver on mySQL - but I also have MSSQL here so maybe I’ll make a connection to that.

bhardin,
you can test also with mysql, it’s a serious problem
for mysql and linux i fix the problem with centos firewall (it bloc any sql javascript code exists in http request) but windows and MSSQL i have this issue
Regards