Share This
 
All Posts  /  Kentico Development Tips  /  April 01, 2016 

Creating Secure Filters in Kentico: Programmatically or QueryStrings

When doing any custom development, it is important to ensure you don’t make your site vulnerable to SQL injection attacks. Fortunately, Kentico provides developers and site administrators with easy ways to protect their sites. In this post, I provide a use case scenario on creating secure filters with Kentico programmatically, or using querystrings.
 

Consider this scenario: You are creating a new page type that will provide editors with an easy way to add cocktail recipes to your site. You want to provide a way to show how potent the drink is, but you don’t want to allow the editor to type in whatever they want because said editor lacks a censor. So, you decide to use the drop down list form control and limit what the editor can select. You also decide to allow users to filter by potency and search by drink name.Form Field List Of Options

Programmatically

You read Kentico’s documentation on creating a custom filter and follow the example provided. You also read my previous blog post on how to access the list of options entered into the page type control setting and auto populate the drop down list filter with the options set in the control settings.

Finally you add the Filter web part to your page and set the filter in the repeater.
 Add filter to repeater

Your colleagues praise you for your ability to create such a useful source of information.

Cocktail Recipe Filter

Unfortunately, your cocktail recipe competitor and childhood frenemy, Sir DrinksAlot, soon finds a vulnerability in your site and enters the following text into your search box


    a'); Update custom_Cocktail set Name='Sir DrinksAlot Makes It Better' where CocktailID > 0 --

This results in the name of all of your cocktails being changed to "Sir DrinksAlot Makes it Better".

Cocktail Recipe Filter - After SQL Injection

So you read the documentation on preventing SQL Injection and use the methods SqlHelper.EscapeQuotes() and SqlHelper.EscapeLikeText() to prevent this kind of violation from ever happening again. And, while you are upset about being violated, you are glad that DrinksAlot didn't take the opportunity to add himself to your CMS_User table as a global admin or drop one of your tables. Curious about how these methods affect the SQL query, you look at the SQL Queries in the Debug Application in Kentico. 
SQL Query

To see the final drink recipe filter code, download it here.
 

QueryString

You use an editable text area web part which you add a dropdown list and a search box to. Then you use Javascript (example here) to reload the page with the querystrings.

Editable Region Source

In your repeaters where condition you use a macro to get the querystring parameters.


{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+QueryString.potency+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+QueryString.name+"%'"
   }
    return query;
#%}

But you get an error :
[Error loading the control 'Repeater', check event log for more details]

And after looking at the event log you see that Kentico is trying to ruin your life by adding extra apostrophes to the SQL query, so you try to find a way to make it stop doing that and come up with:


{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+QueryString.potency+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+QueryString.name+"%'"
   }
    return query;
   |(handlesqlinjection)false 
#%}

Yay! Now it works. However, you just disabled Kentico's built-in protection against SQL Injection attacks and you know your buddy Sir DrinksAlot takes every opportunity to make you look foolish while promoting his own cocktail recipes (take a look at what he did in the above scenario). So, you read the documentation on Macros and Security and add the SQLEscape() method to your macro to prevent any injection.

{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+SQLEscape(QueryString.potency)+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+SQLEscape(QueryString.name)+"%'"
   }
    return query;
  |(handlesqlinjection)false
#%}

So there you have it. Two different ways to create secure filters for your site. I prefer to create the filters from code behind, but if you are unable to access the server, using querystrings are an acceptable alternative. Regardless of how you choose to implement your filters, when you are doing any custom development or disabiling Kentico's built in protection, it is important to ensure that you add in the proper security measures. Luckily, Kentico has already thought of these things and all you have to do is call the methods!  


Get in touch with us if you would like to discuss more ways to check and enhance the security of your site!

Show More
Share This
 
Comments
Josh Anderson
Great Post. Thanks for sharing!
4/13/2016 3:36:08 PM
*
 Security code
*
ADD COMMENT
Social Buzz

Get in Touch

Contact

Contact
t: 973.539.5255
f: 973.917.4730

Visit

Visit
715 Main Street
Boonton, NJ 07005

Locations

Locations
Boonton
Dallas
Jersey City
Boulder

Send Us a Message




 Security code