PAM provides protection from SQL Injection, and this is one of the things our vulnerability tests keep an eye out for.
- On the Credential Manager side, pretty much all of our queries use the java prepared query command. Properly used, that protects against sql injection all by itself.
- On the Access Manager side, we take a different approach. Most (it is supposed to be all) customer supplied data that is used to help make a query runs through a php command mysqli_real_escape_string which protects against sql injection.
In case you detect any vulnerability of this kind, or of any other kind, please open a support case defining it, to get it solved as soon as possible.