SQL Query Unsafe Activity
Description:
Performs a SQL SELECT
query on a database and returns a DataTable
of results. This activity allows the SQL command to be specified by an input argument.
Inheritance Hierarchy:
System.Object
System.Activities.Activity
System.Activities.AsyncCodeActivity
Geocortex.Workflow.Activities.SqlQueryUnsafe
The SQL Query Unsafe activity allows the SQL command to be determined at runtime by variables and expressions in the workflow. Do not use unsanitized values from untrusted sources to assemble the command.
Improper use of this activity can allow malicious users to perform SQL injection attacks that could compromise your database.
Do not use this activity unless you are 100% certain that your usage is not vulnerable to SQL injection.
Function:
This activity allows you to perform a parameterized SQL SELECT
query on a database using an ADO.NET that is provided.
This activity has a subtle but important difference from the SQL Query activity.
- The SQL Query activity has a Command Text property that must be set to a string value by the workflow author at design time. There is no way for the workflow logic or the end user to influence the SQL command at runtime.
- The Unsafe SQL Query activity has a Command Text input argument that the workflow author sets to an expression at design time. The expression is evaluated at runtime to determine the SQL command to execute. This is powerful because you can use workflow logic, activities, variables and expressions to craft the SQL command. However, this can also be dangerous if used improperly. If you build the SQL command using unsanitized input from the end user the command could be altered by the end user's inputs such that it performs actions that were not intended by the author. For example, query a different table or perform computationally intensive queries.
In a Workflow:
You would use this activity to perform a query on a database and then pass the DataTable
of results to other activities.
Properties:
Name | Description |
---|---|
In Arguments |
|
Command Text |
The SQL query to issue. For example:
Do not use unsanitized values from untrusted sources to assemble the command. |
Parameters |
The parameters of the SQL statement. When you configure the Parameters property, Workflow Designer opens a pop-up dialog where you enter the list of parameters. The parameters must agree with the Command Text parameters in name, type, and direction. |
Misc |
|
Command Timeout |
The time in seconds to wait for the command to execute. |
Connection Configuration Name |
The name of the connection string specified in the application's configuration file (app.config or web.config) to use in order to open a database connection. |
Connection String |
The connection string to use in order to open a database connection. |
Display Name |
SqlQueryUnsafe You can change the name of an activity to one that describes what it does. A descriptive name can make a workflow easier to interpret and maintain. |
Provider Name |
The provider name to use in order to open a database connection. |
Out Arguments |
|
Results |
The results of the query as a |
Version Information:
Supported from: Geocortex Essentials 4.5.