WEB SQL Query

hcl-bot · April 25, 2008, 2:31am

I’ve written an agent to test an ODBC connection on a Domino Server to call a SQL query on an SQL Server 2005 box and all works well when stepping through the code in debugger.

Is there anything I need to be aware of when calling this agent from a web browser? The queries are only to read the data so the username connecting to the SQL server via the ODBC connection has readonly access to the tables. I’m aware that I can print from the agent directly to the browser so I can form my results and display them.

Is there a preferred way to pass parameters to the agent to then be included in the lookup SQL query?

Any advice on common problems would be a big help, thanks!

hcl-bot · April 25, 2008, 4:01am

Subject: WEB SQL Query

The biggest point of concern is, if the ODBC data source is really configured correctly on the server machine.

As long, as you run your agent manually (using the debugger or not) it actually runs on your workstation, even if the database resides on the server. When run as a web agent, it will always execute on the server, though.

If you call the agent from a web browser by its URI, your only option to pass parameters is to append them to the URL string, like

http://server/path/db.nsf/AgentName?OpenAgent&param1=value1&param2=value2

Your agent needs to access the Query_String or Query_String_Decoded CGI field to extract the values. To make this a little easier, you might consider using a custom web session class that could provide a simple method to retrieve parameter values by parameter names. Jake Howlett has a nice reusable example, that contains a method (which he actually borrowed from the 7.0.2 RSS template):

http://codestore.info/store.nsf/unid/BLOG-20080211?OpenDocument

hcl-bot · April 30, 2008, 5:13am

Subject: RE: WEB SQL Query

Thanks for the reply, I will be coding the agent this week so hopefully the tips you gave will help.

Do you know what SQL injection is in the next message?

hcl-bot · April 30, 2008, 1:04pm

Subject: RE: WEB SQL Query

You must take care, that whatever you pass to your agents as arguments will not be treated as SQL statements directly. Depending on how you process them, somebody with enough knowledge could pass text that e.g. ends your inteded SQL statement and creates a new one, just by adding text to the URL that points to your agent. That - in simple words - would be called SQL injection.

Remember: SQL is code! So take care when building your statement.

hcl-bot · May 5, 2008, 12:43pm

Subject: WEB SQL Query

HiPlease check out this link for details on SQL Injection and how to avoid the same

http://www.owasp.org/index.php/SQL_injection

Robert M

hcl-bot · April 28, 2008, 2:00am

Subject: beware of SQL injection