About Filter Validation

As a security measure designed to prevent SQL injection attacks from sources that have access to the IDO Runtime Service through various integration points in the application, filters for LoadCollection requests can be validated before automated actions are allowed to continue.

You can control the level of filter validation with the use of the Filter Validation process default. Filter validation detects potentially unsafe filters and raises an exception, rather than executing the request.

The Filter Validation process default has three valid settings:

  • High: Validates filters for all sessions
  • Medium: Validates filters for only automation sessions
  • Low: Does not validate filters at all

Regardless of this process default, there are certain characters or combinations of characters that are not allowed in any filter:

  • Semi-colons, except in string literals
  • Characters that define comments (--, /*, */, etc.), except in string literals

When the Filter Validation process default is used, only these characters or combinations of characters is allowed:

  • Property names
  • Comparison operators: =, <>, !=, >, <, >=, <=, !>, !<, IS, NOT
  • Logical operators: AND , OR , IN , LIKE , BETWEEN , CONTAINS
  • Literal values: Numbers, strings, NULL
  • Parentheses ( ) and commas