SQL injection protection on Perform JDBC Query assertion

Article Id: 142965

Status: Published

Updated On: 13-01-2020 14:07

Products:

CA API Gateway , API SECURITY , CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) , CA API Gateway Enterprise Service Manager (Layer 7) , STARTER PACK-7 , CA Microgateway

Issue/Introduction:

Can you give any information on whether there is any build-in SQL injection protection on the "JDBC Query assertion"?
The documentation does not say anything about this.

For example: We are using queries like this (without the "Convert Variables to Strings" option checked): INSERT INTO SomeTable (Somecolumn) VALUES (${someValue});
Is such usage at risk for sql injection attacks or will the api gateway execute this using prepared statements?

Environment:

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution:

Gateway uses prepared statements and replaces the context variable references with the parameter marker (?).

Option "Convert Variables to Strings" ensures you to supply the value to the parameter as String or as it is.
Imagine, multi-value context variable is referenced, its value is stringified as a comma-separated list. In such cases, you might require to pass the values as it is.

Otherwise, JDBC query execution is free from SQL injection attacks.