MAJOR MAJOR BUG!!! SQL Injection possible using DI Server
My collegue is testing my SBO application which uses the DI Server. I was under the impression that DI Server only allows select statements, but that is not true!! I suspect that the DI Server only checks whether the query starts with 'SELECT'. If that's so, then the statement can be executed.
So what if you do this?
SELECT 1; DELETE FROM OITM
This would be a valid statement, but it will also delete your entire item table. You can execute stored procedures, drop tables and do everything you'd like.
More info about SQL injection:
Gianluigi BAGNOLI replied
I am not sure this is so easily doable. How can be possible to detect from code whether a script writes the DB ? in a productive environment I mean, with no big impact on performances.
In general this is a problem you will find every time there is an API insisting on a DB and with some validation logic in it. It will be always possible to go directly into the DB with an ODBC connection and break the validation logic in the API.