9 YEARS AGO

Preventing SQL Injection in KenticoCMS

When developing a website in KenticoCMS it is pretty easy to solely rely on the CMS when it comes to security. Although KenticoCMS offers the needed checks against SQL injection, XSS and XSRF attacks, a user should allways be careful when working with QueryString parameters (via macros) to set for example a WHERE condition of a web part.

When developing a website in KenticoCMS it is pretty easy to solely rely on the CMS when it comes to security. Although KenticoCMS offers the needed checks against SQL injection, XSS and XSRF attacks, a user should allways be careful when working with QueryString parameters (via macros) to set for example a WHERE condition of a web part.

That is why I will cover some basic tips to avoid/prevent SQL injections.

1. Parameterized queries and stored procedures

This one is pretty self explanatory but needs to be said.


2. Use the ResolveMacros function in combination with the "avoid injection" boolean set to true

If set to true, macro resolving will avoid SQL injection by replacing the single quote with double quotes.


3. Add a custom macro in the where condition

You can use a custom macro if you want to check for dangerous commands (SELECT, UPDATE, DELETE or ALTER) used in the querystring.


4. Display custom errors (customErrors mode="On")

Do not display detailed ASP.NET error information to the user when an error occurs. You can compare it with stealing candy from a baby when the user has access to the debugging information.


5. Don't use the obsolete code tab to set the WHERE condition

Custom code can be vulnerable for SQL injection. Try if possible to set the WHERE condition using querystring macros.


6. Validate the value of the querystring

If the value of the querystring should be of a specific type, convert it to that type! Below example displays an example:

Int32 code = ValidationHelper.GetInteger(CMSContext.CurrentResolver.ResolveMacros("{?code?}", true), 0);