When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query! Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable. Example of VULNERABLE query:
To fix this, use ?sql hash variable escape:
|
JDBC Datalist Database Binder gives you the flexibility of designing a datalist by using your own custom SQL queries and database connection.
Name | Description | Screens (Click to view) | |||
---|---|---|---|---|---|
Datasource | Target database to execute SQL statements on. Choices:-
|
| |||
Custom JDBC Driver | JDBC driver name. Example values:
Only applicable to "Custom Datasource" option. | ||||
Custom JDBC URL | Database connection URL. Example: jdbc:mysql://localhost:3306/jwdb Only applicable to "Custom Datasource" option. | ||||
Custom JDBC Username | Database username. Example: root Only applicable to "Custom Datasource" option. | ||||
Custom JDBC Password | Specified database user's password. Only applicable to "Custom Datasource" option.
| ||||
SQL SELECT Query | SQL Select query to populate the datalist.
| ||||
Primary Key | Define the primary key column. By default, it should be "id". | ||||
Optimize query for paging | When checked, the binder only fetches selected page's items rather than the returning the whole data set to optimize the performance for large dataset paging. Only works for MySQL and Microsoft SQL Server 2012 onwards. |
APP_datalist_using_jdbc_dx_kb.jwa