Preventing SQL injection in low-code web applications

The main difference no-code and low-code applications is that you can easily extend low-code applications by adding your own code. This gives you both power and responsibility and we are going to talk about some typical mistakes people do while adding their own code.

Let me show you an example of the code one our clients were using in BeforeLogin event:

$rs = DB::Query("select * from users where username like '".$username."'");
$data = $rs->fetchAssoc();
...

Can you tell what is wrong here? If not, keep reading.

The problem is that the $username variable is inserted into a SQL Query as is and it opens the door for SQL injection. Every time you pass something that the user entered directly into a SQL Query you are in trouble. The attackers will be able to access your sensitive data or even make some changes to it.

The correct approach is to use the PrepareSQL function. This way the input will be properly escaped eliminating all potential SQL injection risks.

$sql = DB::PrepareSQL("select * from users where username like ':1'", $username);
$rs = DB::Query($sql);
$data = $rs->fetchAssoc();
...

This little change will make your life so much easier.

Additional reading:
Building secure low-code web applications (Section 11)

We also added SQL injection as one of the topics of the DevQuest contest (step 8).