Hi, i hope this forum can help me clarify my security concerns for my scenario:
I want a user to be able to filter sql rows by using xquery on an untyped XML that is stored in a XMLDataType column. My table will have multiple rows/columns, with one column being XML.
I would like to get some guidance on how a user can specify their "filter" condition string using the xquery syntax without harding coding any dependency on the server side (client decides which items they are interested in), and I would like to know the guidelines on how to translate the xquery on the server to avoid any sql injection risks. For instance, perhaps i should double all single quotes in the given xquery string. Also, i am concerned about sql:variables that may be able to access private variables inside a stored proc, has this been an issue?
Thanks!!
All of the issues you bring up are concerns:
-SQL injection
-sql:column
-sql:variable
-very expensive queries can lead to Denial of Service attacks
XQuery is code, so it should be treated similarly to SELECT statements, in general it is difficult to safely execute untrusted queries.
Ways around this would be to:
-Use set of parameterized stored procedures that reasonably cover the likely set of queries users are going to execute.
-Give each user their own database and assume that they have full SELECT permissions on it. (This wont prevent Denial of Service type attacks, but could prevent users' from access other users' data in the event of SQL injection.)
-Use full-text search. The queries wont be as expressive, but it might be good enough to filter rows.
No comments:
Post a Comment