Provide guidance for sql-injection type attacks

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Major
    • CN01
    • Affects Version/s: V4.0_WD01
    • Component/s: Securing OData
    • None
    • Environment:

      [Proposed]

    • Hide

      Add a cautionary note that, when taking input from a user, an application must make sure it is the expected type; for example, make sure there are no unescaped '&'.

      Show
      Add a cautionary note that, when taking input from a user, an application must make sure it is the expected type; for example, make sure there are no unescaped '&'.

      If the application has the expression:

      Customers?$filter=id eq @id

      and the user supplies the value for @id as "1&$expand=Orders"

      Then they have expanded the data that the application was intending.

            Assignee:
            Unassigned
            Reporter:
            Michael Pizzo (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: