cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MAJOR MAJOR BUG!!! SQL Injection possible using DI Server

Go to solution
Former Member

on ‎10-17-2008 9:11 AM

0 Kudos

My collegue is testing my SBO application which uses the DI Server. I was under the impression that DI Server only allows select statements, but that is not true!! I suspect that the DI Server only checks whether the query starts with 'SELECT'. If that's so, then the statement can be executed.

So what if you do this?

SELECT 1; DELETE FROM OITM

This would be a valid statement, but it will also delete your entire item table. You can execute stored procedures, drop tables and do everything you'd like.

More info about SQL injection:

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-17-2008 10:11 AM
0 Kudos

Perhaps I should rename the MAJOR MAJOR BUG bit to CAUTION CAUTION DEVELOPERS

Anyway, I'm fixing this hole for us now, but I think it's strange that this can be allowed using the tools SAP hands us. I can't imagine a scenario where you would want to use SQL injection from a developer's point of view, since you'll void your support. In the end, I don't think it's SAP's duty to fix this, that statement would be too heavy, but it should be a service they offer developers and clients to build trust in their product. Why do thousands of developers have to fix this, while SAP can do this for everyone at once.

Show replies
Show replies
Gianluigi
Product and Topic Expert
Product and Topic Expert
‎10-17-2008 12:35 PM
0 Kudos

I am not sure this is so easily doable. How can be possible to detect from code whether a script writes the DB ? in a productive environment I mean, with no big impact on performances.

In general this is a problem you will find every time there is an API insisting on a DB and with some validation logic in it. It will be always possible to go directly into the DB with an ODBC connection and break the validation logic in the API.

Answers (1)

Answers (1)

Gianluigi
Product and Topic Expert
Product and Topic Expert
‎10-17-2008 9:58 AM
0 Kudos

This is not a bug. Once you got a connection to the DB you can inject SQL calls anyway, for instance with a recordset. Or with a direct SQL connection with ODBC or OleDB. This is is technically possible.

BUT

development guidelines does not allow you to do so and the solution certification program esplicitily forbid you to do. Besides, if your solution does this then you are losing support from SAP.

Have a look at solution certification program at

From there you can get the guidelines behind the program, what is checked and which are the tools that are used. Among these tools there is also B1TE i.e. B1 Test Environment, a set of tools available on SDN that helps you in profiling the execution of your solution and find the breakages of the solution development guidelines. Enjoy, it is available under the usual section "Business One SDK tools" on SDN.

Show replies
Show replies
Ask a Question