Insights

Creating Secure Custom Filters in Kentico

When doing any custom development, it is important to ensure you don’t make your site vulnerable to SQL injection attacks. Fortunately, Kentico provides developers and site administrators with easy ways to protect their sites. In this post, I provide a use case scenario on creating secure filters with Kentico programmatically, or using querystrings.

When doing any custom development, it is important to ensure you don’t make your site vulnerable to SQL injection attacks. Fortunately, Kentico provides developers and site administrators with easy ways to protect their sites. In this post, I provide a use case scenario on creating secure filters with Kentico programmatically, or using querystrings.

Consider this scenario: You are creating a new page type that will provide editors with an easy way to add cocktail recipes to your site. You want to provide a way to show how potent the drink is, but you don’t want to allow the editor to type in whatever they want because said editor lacks a censor. So, you decide to use the drop down list form control and limit what the editor can select. You also decide to allow users to filter by potency and search by drink name.

Programmatically

You read Kentico’s documentation on creating a custom filter and follow the example provided.

Finally you add the Filter web part to your page and set the filter in the repeater. Your colleagues praise you for your ability to create such a useful source of information.

Unfortunately, your cocktail recipe competitor and childhood frenemy, Sir DrinksAlot, soon finds a vulnerability in your site and enters the following text into your search box


    a'); Update custom_Cocktail set Name='Sir DrinksAlot Makes It Better' where CocktailID > 0 --

This results in the name of all of your cocktails being changed to “Sir DrinksAlot Makes it Better”.

So you read the documentation on preventing SQL Injection and use the methods SqlHelper.EscapeQuotes() and SqlHelper.EscapeLikeText() to prevent this kind of violation from ever happening again. And, while you are upset about being violated, you are glad that DrinksAlot didn’t take the opportunity to add himself to your CMS_User table as a global admin or drop one of your tables. Curious about how these methods affect the SQL query, you look at the SQL Queries in the Debug Application in Kentico.

QueryString

You use an editable text area web part which you add a dropdown list and a search box to. Then you use Javascript to reload the page with the querystrings.

In your repeaters where condition you use a macro to get the querystring parameters.


{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+QueryString.potency+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+QueryString.name+"%'"
   }
    return query;
|(user)nmiller|(hash)b5b740935c6a18a5a63a90192a2588885bb3463121180b2e450e0f47f5d74514%}

But you get an error :
[Error loading the control ‘Repeater’, check event log for more details]

And after looking at the event log you see that Kentico is trying to ruin your life by adding extra apostrophes to the SQL query, so you try to find a way to make it stop doing that and come up with:


{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+QueryString.potency+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+QueryString.name+"%'"
   }
    return query;
   |(handlesqlinjection)false 
|(user)nmiller|(hash)69e7c348585f5585ddb3d50bd5b39ca6b8d1754de734a2512f86ec41354ac9a1%}

Yay! Now it works. However, you just disabled Kentico’s built-in protection against SQL Injection attacks and you know your buddy Sir DrinksAlot takes every opportunity to make you look foolish while promoting his own cocktail recipes (take a look at what he did in the above scenario). So, you read the documentation on Macros and Security and add the SQLEscape() method to your macro to prevent any injection.

{%  
  String query = "";
   if(QueryString.potency != null) { query += "Potency='"+SQLEscape(QueryString.potency)+"'" }
   if(QueryString.name != null) { if(QueryString.potency != null) { query += " AND "} 
      query += "Name LIKE '%"+SQLEscape(QueryString.name)+"%'"
   }
    return query;
  |(handlesqlinjection)false
|(user)nmiller|(hash)aa189cb54af8c57f4ba3907d3a33092c1ed197dfe40404b5bb1683dfb019153e%}

So there you have it. Two different ways to create secure filters for your site. I prefer to create the filters from code behind, but if you are unable to access the server, using querystrings are an acceptable alternative. Regardless of how you choose to implement your filters, when you are doing any custom development or disabiling Kentico’s built in protection, it is important to ensure that you add in the proper security measures. Luckily, Kentico has already thought of these things and all you have to do is call the methods!

Get in touch with us if you would like to discuss more ways to check and enhance the security of your site!

Let's Talk

Get in Touch

Ready to start a project? Need support? Or, have a question? Connect with us!