Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only

  • 1.  SQL Injection: BIRT report parameters

    Posted Thu October 22, 2020 01:10 PM
    Edited by System Admin Wed March 22, 2023 11:55 AM
    I'm new to Maximo BIRT reports.

    How secure are BIRT reports when it comes to SQL injection in the parameters?

    Thank you.
    7.6.1.2
    #Maximo
    #AssetandFacilitiesManagement


  • 2.  RE: SQL Injection: BIRT report parameters

    Posted Fri October 23, 2020 08:37 AM

    The answer unfortunately depends on how the report is written. Parameter values can be included literally in the SQL statement you build, which would lead to the potential for SQL injection. But if you use the Maximo functions properly, you shouldn't have to worry about it.

    The params["where"] that you should keep on all your reports (as it's how data restrictions are enforced, and applies the user's filter when appropriate) will contain any parameters that are bound to attributes. So for example, if you had a report in inventory and had a parameter bound to storeroom (inventory.location), when the report is executed from Maximo the params["where"] will automatically include the filter provided for inventory.location and will be properly escaped without you doing anything. When you're previewing the report locally or if you have a parameter that isn't bound to an actual field (such as referencing a start & end date for transactions), you should use the proper way to build the where clause. For example:

    MXReportSqlFormat.createParamWhereClause("inventory.location", params["storeroom"].toUpperCase())


    This function does a few important things besides just avoiding SQL injection. It allows you to specify what object and attribute you're filtering on and will take the values and properly turn that into a SQL where clause. Including when you set a lookup to accept multiple values (where the parameter value could be =CENTRAL,=MAIN for example) it'll know to turn that into (inventory.location='CENTRAL' or inventory.location='MAIN'). 

    As long as the reports are developed properly, you should be fine. But there's nothing stopping someone from doing it poorly. 



    ------------------------------
    Steven Shull
    Director of Development
    Projetech Inc
    Cincinnati OH
    ------------------------------

    Original Message