SQL injection protection on Perform JDBC Query assertion

book

Article ID: 142965

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

Can you give any information on whether there is any build-in SQL injection protection on the "JDBC Query assertion"?  
The documentation does not say anything about this.

For example: We are using queries like this (without the "Convert Variables to Strings" option checked): INSERT INTO SomeTable (Somecolumn) VALUES (${someValue});
Is such usage at risk for sql injection attacks or will the api gateway execute this using prepared statements?

Environment

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution

Gateway uses prepared statements and replaces the context variable references with the parameter marker (?).

Option "Convert Variables to Strings" ensures you to supply the value to the parameter as String or as it is.
Imagine, multi-value context variable is referenced, its value is stringified as a comma-separated list. In such cases, you might require to pass the values as it is.

Otherwise, JDBC query execution is free from SQL injection attacks.