KB Article 16151
2019/07/23

Close
X
Contact Tech Support

 Email Tech Support
 (250) 655-1766
 [7:30 - 5:00 PST]
Your Meeting ID will be Provided by a Rep.
Tech Support
Tech Support Home
Software Updates
Knowledge Base Search
Recent KB Articles
Product FAQs
Code Samples
Documentation
Tech Blog
System Requirements
Installation Instructions
Support Testimonials
Contact us to...
Create a Ticket
Request a Free Demo
Suggest a New Feature
Submit Feedback
Upload a Large File
Other Services
Software Training
Professional Services

WebSmart on XSS and SQL Injection

Product: WebSmart ILE Type: Frequently Asked Question

Preventing XSS and SQL injection attacks in WebSmart PHP

XSS: At template creation, WebSmart PHP uses different functions on locations where you usually display, add or change records (i.e. any time you access your database) to avoid XSS attacks. These functions are htmlspecialchars() and xl_encode(). 

 - xl_encode() will prevent malicious attacks on your database by escaping characters such as single quotes, double quotes, and backslashes.

 - htmlspecialchars() will convert special characters to an html encoded one (for example, a single quotation mark will be converted to ').

SQL Injection: Like XSS, WebSmart will apply an xl_encode() function on the variables where you build your "WHERE" clause, preventing items like single quotation marks, double quotation marks, and backslashes.



Preventing XSS and SQL injection attacks in WebSmart ILE

XSS: At template creation, WebSmart ILE encodes the fields on locations where you usually display, add or change records (i.e. any time you access your database) to avoid XSS attacks. This is done by encoding all the fields using the following format:

   <field name=fieldName encode="HTML">

This displays and retrieves characters as their html encoded value, such as &#039; for a single quotation mark. 

SQL Injection: Whenever a field accesses the database (such as a field for filtering), the PML source code includes a function called rplstr() that will be applied on the "WHERE" clause. The way the template sets it for you is the following:

whrclause  = "";

whrlink = " where";

if(fieldName <> "")

{

   whrclause = whrclause + whrlink + " fieldName = '" + rplstr(trim(ww_fieldName), "'", "' '") + "'";

}

selstring = selstring + " " + whrclause;

 

NOTES:

In both WebSmart PHP and WebSmart ILE, you can choose to extend these behaviours however needed, depending on who's accessing your programs and how they are meant to be accessed. Templates are just what they are: templates. They won't provide the highest level of security to your programs, but instead give you a starting guidance point to your web applications.

Other Resources


Here are some links to other resources you might find useful: 

Rate This Article

Did this example help you to achieve your goal?
 Yes  No  Don't Know

Enter additional comments below.   If you want to hear back from us, include your contact information.

Email Address:
Comments:
Please enable JavaScript in order to rate this page.