You are viewing limited content. For full access, please sign in.

Question

Question

Forms field data to Workflow for DB Insertion.....Preventative measures against malicious users?

Forms Workflow Laserfiche Version 9 Security
Updated August 28, 2014
asked on August 27, 2014

So I have a client with a form process that sometimes (based on business logic) does not need any approval, just stores the form to the repository and has a workflow act on it. The idea is to take the newly submitted data and have it update/insert data to the database used for a lookup in the form. 

 

The client is concerned with security. The forms server is behind a domain,  the users need to be inside the VPN to access it, but still, if someone were to get onto that machine, it is possible that we would have forms submitted that were containing SQL Injections and with only Workflow handling this data, it would be a potential risk. So are their any tools built into forms or workflow to help reduce this risk? Any documentation that I can provide the customer would also be quite useful in this respect as we obviously want to make sure that we know things are secure and help the client understand any risks that go into using such a solution before we implement it.

0 0

Answer

SELECTED ANSWER
replied on August 27, 2014

The Workflow Data activities use parametrized queries, so SQL injection is not possible. The only way to SQL inject a query is if you choose to build the entire query as a token and use just the token by itself in Custom Query.

1 0
replied on August 28, 2014

Would you be able to provide any specific information on that or should I just be able to show the client whatever information I can find on the internet about using parametrized queries?

0 0

Replies

replied on August 28, 2014

Google should get you more than enough. For ex, say that you have this form that collects student data:

 

This form feeds into the following workflow which inserts data into the Students table:

 

 

When somebody tries to enter "Robert'); DROP TABLE Students;--" as their first name, the value will end up like that in SQL:

 

 

The same would happen if you use Custom Query with parameters:

 

 

However, if instead you choose to write your own query in a token:

 

 

And you use this token by itself in Custom Query:

 

Then the query would be passed on to the ODBC driver as-is. Obviously, this is not the recommended setup and rather more of a hidden/advanced feature.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...