#839: fix the SQL statement as this one does not express that the orderBy clause input is user input
				
					
				
			This commit is contained in:
		| @ -6,7 +6,7 @@ Answer: No it does not | |||||||
| Let us take a look at the following statement: | Let us take a look at the following statement: | ||||||
|  |  | ||||||
| ---- | ---- | ||||||
| SELECT * FROM users ORDER BY lastname; | "SELECT * FROM users ORDER BY " + sortColumName + ";" | ||||||
| ---- | ---- | ||||||
|  |  | ||||||
| If we look at the specification of the SQL grammar the definition is as follows: | If we look at the specification of the SQL grammar the definition is as follows: | ||||||
| @ -44,4 +44,4 @@ expression. | |||||||
| === Mitigation | === Mitigation | ||||||
|  |  | ||||||
| If you need to provide a sorting column in your web application you should implement a whitelist to validate the value | If you need to provide a sorting column in your web application you should implement a whitelist to validate the value | ||||||
| of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'. | of the `order by` statement it should always be limited to something like 'first name' or 'last name'. | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user