Protecting against SQL injection attacks
Web.config file > <SearchConfiguration> section
In the Search <object> pages, the
SQL statement that is generated and executed by Optiva must be a single SELECT
statement; or it must be a group of SQL statements that are separated by an INTERSECT
command.
If there are multiple SQL statements and each statement is separated by
a semi-colon, then a SQL injection attack can occur. To prevent these attacks
from occurring in the
Optiva
database, use the
<SearchConfiguration>
section in the
Web.config file. This file is located in the
FsSvcCore directory.
The
<SearchConfiguration>
section identifies the
functions and the tokens that have been approved by the
Optiva
administrator for use in the web client searches. Although Infor provides a
list of the most common functions and tokens, the
Optiva
administrator can add to this list or modify it.
Each time a search is executed, the SQL code is scanned. The functions and the tokens that are listed in the search criteria are compared to the values in the Web.config file.
Any values that do not match the approved list are considered to be a risk. In this case, the search is not executed. A generic error is displayed to the user and an entry is added to the Event Viewer log.
This generic message does not mention that the error is a result of a possible SQL injection attack. This is intentional to prevent a potential hacker from attempting a different attack. The Optiva administrator can review the Windows Event Viewer log for the full details of the potential SQL injection attempt.
Although the SQL Injection feature can be disabled in the
Web.config file, it is strongly recommended that you
keep the default value of
Enabled
.