Hacking Servoy through 'SQL-Injection' - How to prevent it?

Searching through documentation and forum, I couldn’t find any mention of the so-called hack ‘SQL-Injection’, and the ways to prevent it.

‘SQL-Injection’ consists to put non authorized sql statements (queries) into variables (columns) which are known to be used to construct solution queries.

A conventionnal workaround is to use paramterized queries or to encode all variable parts of the queries by using functions like escape() or unescape().

a) Do you, servoy team, take care of this hacking method?
b) If yes, can you explain the method used?
c) What do you propose to secure developer queries as used in getDatasetByQuery()? Can we use escape() or encodeURI()?

As you probably already suppose it, the protection against ‘SQL-Injection’ is a security requisite for some of our customers. Thank you in advance for your answer.

Btw, may be we could have some use for a forum topic about security threat.

all the queries why generated ourself are done through prepared (paramterized) queires.

If you as developer do a getDatasetByQuery() then it is youre own doing what you do there.
We give you the choice to also use prepared queries, use the Object args and don’t do:

var sql = “select x from y where z = ‘test’”
databasemanager.getDataset ByQuery(xxx,sql)

but
var array = new Array();
array[0] = ‘test’;
var sql = “select x from y where z = ?”
databasemanager.getDataset ByQuery(xxx,sql,test);

Thank You Johan,

We are very pleased with this answer, may be it should appear somewhere into the documentation, as it is a requirement for several big companies.

I suggest two separate parts:
In reference manual: …Servoy takes care of ‘sql-injections’ hacker attacks…
In user manual: developpers, please use the following syntax to prevent…

Have a nice day!