Recently, we discovered the string type parameter used in Crystal Report is open for script injection i.e., a regular expression can be sent via these string type parameters and ran against the system database directly. But this only happens when the string is used with LIKE keyword in the SQL query.
For example, the query may look like this:
SELECT ComanyName
FROM Customers
WHERE CompanName LIKE {?CompanyParameter}
We have solved this issue by eliminating the special characters in the string which may impose threat before we send the string to Crystal Report. Hope this can be done in the future in Crystal Report itself and to prevent this major security threat from happening to any of the Crystal Report users.
Monday, 15 August 2011
Sunday, 14 August 2011
Daylight saving offset is not available in SQL scripting
We discovered a drawback by using SQL script and Crystal Report where the conversion against all the GMT date time fields in our database to local time does not cater for the daylight saving offset.
Unfortunately, the only way we found to overcome this issue is to create a new table which will record all the daylight saving information at different locations. Therefore, when we build Crystal Report, we can use the SQL query to check the daylight saving offsets and apply them correctly on different dates.
A google search link indicates that Crystal Report may have this function in place in version 2011.
Wednesday, 8 June 2011
LogiXML limitation - Using text type parameters
When use text type parameters in LogiXML, we have to make sure the parameter values are compliant with the URL standards since LogiXML use the post back on the webpage to send the parameter values.
The following web page shows what characters should be encoded when passing through URL:
http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
There are several ways to go around this problem:
1. Encode and decode the text at the SQL script since we only use these values to refresh the charts on dashboards.
SQL functions to encode and decode URL strings:
http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urlencode.aspx
http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urldecode.aspx
2. Use JavaScript to encode and decode the text before and after the post back.
The following web page shows what characters should be encoded when passing through URL:
http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
There are several ways to go around this problem:
1. Encode and decode the text at the SQL script since we only use these values to refresh the charts on dashboards.
SQL functions to encode and decode URL strings:
http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urlencode.aspx
http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urldecode.aspx
2. Use JavaScript to encode and decode the text before and after the post back.
Subscribe to:
Posts (Atom)