SQL injection protection on Perform JDBC Query assertion
book
Article ID: 142965
calendar_today
Updated On:
Products
CA API GatewayAPI SECURITYCA API Gateway Precision API Monitoring Module for API Gateway (Layer 7)CA API Gateway Enterprise Service Manager (Layer 7)STARTER PACK-7CA Microgateway
Issue/Introduction
Can you give any information on whether there is any build-in SQL injection protection on the "JDBC Query assertion"? The documentation does not say anything about this.
For example: We are using queries like this (without the "Convert Variables to Strings" option checked): INSERT INTO SomeTable (Somecolumn) VALUES (${someValue}); Is such usage at risk for sql injection attacks or will the api gateway execute this using prepared statements?
Environment
Release : 9.4
Component : API GTW ENTERPRISE MANAGER
Resolution
Gateway uses prepared statements and replaces the context variable references with the parameter marker (?).
Option "Convert Variables to Strings" ensures you to supply the value to the parameter as String or as it is. Imagine, multi-value context variable is referenced, its value is stringified as a comma-separated list. In such cases, you might require to pass the values as it is.
Otherwise, JDBC query execution is free from SQL injection attacks.