Protecting against SQL injection attacks

Web.config file > <SearchConfiguration> section

In the Search <object> pages, the SQL statement that is generated and executed by Optiva must be a single SELECT statement; or it must be a group of SQL statements that are separated by an INTERSECT command.

If there are multiple SQL statements and each statement is separated by a semi-colon, then a SQL injection attack can occur. To prevent these attacks from occurring in the Optiva database, use the <SearchConfiguration> section in the Web.config file. This file is located in the FsSvcCore directory.

The <SearchConfiguration> section identifies the functions and the tokens that have been approved by the Optiva administrator for use in the web client searches. Although Infor provides a list of the most common functions and tokens, the Optiva administrator can add to this list or modify it.

Each time a search is executed, the SQL code is scanned. The functions and the tokens that are listed in the search criteria are compared to the values in the Web.config file.

Any values that do not match the approved list are considered to be a risk. In this case, the search is not executed. A generic error is displayed to the user and an entry is added to the Event Viewer log.

This generic message does not mention that the error is a result of a possible SQL injection attack. This is intentional to prevent a potential hacker from attempting a different attack. The Optiva administrator can review the Windows Event Viewer log for the full details of the potential SQL injection attempt.

Although the SQL Injection feature can be disabled in the Web.config file, it is strongly recommended that you keep the default value of Enabled.