I have given my code for Security code Scanner but it is given the following error due to
Query: Stored XSS
My query is like this.
loan=Database.query('SELECT Name,fintechLLC__Application__c ,fintechLLC__Legal_Corporate_Name__c,fintechLLC__Last_Month_Trans__c, fintechLLC__X2_Month_ago_Trans_del__c,fintechLLC__X3_Month_ago_Trans__c,CreatedDate,fintechLLC__Monthly_Ending_Bal__c,Max_Rate__c,fintechLLC__Term__c,fintechLLC__Funding_Amount__c,fintechLLC__Business_DBA_Name__c,fintechLLC__Credit_Score__c, fintechLLC__Business_DBA_Years_in_Business__c,fintechLLC__Avg_Daily_Bank_Bal__c FROM fintechLLC__Loan__c where id=\''+loanId+'\'');
Kindly help me in this
In your Dynamic query, you should use String.escapeSingleQuotes to prevent SOQL injection.
Go up the path for the variable loadId, and make sure that in your visualforce page it's wrapped properly either by JSENCODE or HTMLENCODE - which depends on how you use it.
loan=Database.query('SELECT Name,fintechLLC__Application__c ,fintechLLC__Legal_Corporate_Name__c,fintechLLC__Last_Month_Trans__c, fintechLLC__X2_Month_ago_Trans_del__c,fintechLLC__X3_Month_ago_Trans__c,CreatedDate,fintechLLC__Monthly_Ending_Bal__c,Max_Rate__c,fintechLLC__Term__c,fintechLLC__Funding_Amount__c,fintechLLC__Business_DBA_Name__c,fintechLLC__Credit_Score__c, fintechLLC__Business_DBA_Years_in_Business__c,fintechLLC__Avg_Daily_Bank_Bal__c FROM fintechLLC__Loan__c where id=\''+String.escapeSingleQuotes(loanId)+'\'');
Related
I am trying to use endsWith filter on /users endpoint but I feel like I'm losing my mind. It simply doesn't work for me in the official example:
https://developer.microsoft.com/en-us/graph/graph-explorer?request=users%3F%24count%3Dtrue%26%24filter%3DendsWith(mail%2C%27%40hotmail.com%27)%26%24select%3Did%2CdisplayName%2Cmail&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com&headers=W3sibmFtZSI6IkNvbnNpc3RlbmN5TGV2ZWwiLCJ2YWx1ZSI6ImV2ZW50dWFsIn1d
In this example, the problematic header 'ConsistencyLevel' is set, but it doesn't help. So what's going on here ? I'm actually interested in the 'mail' property for endsWith, but if the official example doesn't work than I'm not sure what to expect.
edit:
I have tried the same Query WITHOUT ConsistencyLevel:eventual and it failed with same error.
https://graph.microsoft.com/v1.0/users?$count=true&$search="displayName:room"&$filter=endsWith(mail, '#microsoft.com')&$orderBy=displayName&$select=id,displayName,mail
As a solution , I tried the same Query WITH ConsistencyLevel:eventual and it worked.
Note: Add the ConsistencyLevel Eventual in request header and provide the appropriate Consent permission to make it work.
https://graph.microsoft.com/v1.0/users?$count=true&$search="displayName:room"&$filter=endsWith(mail, '#microsoft.com')&$orderBy=displayName&$select=id,displayName,mail
I could not find an answer to this. I found the previous similar question unanswered. I'd like to use Spring data solr for queries. But #Query is insufficient for my needs. As I understood, whatever you give here becomes a q parameter to `select' handler of solr.
In my case I need to add more parameters for example sfield for a spatial search. If #Query wont cut it, I am ready to write a custom repository implementation by autowiring SolrTemplate, But then the Criteria API does not seem to let me add a raw query parameter either.
Any help/points will be greatly appreciated.
I worked around it by creating a QueryParser decorator that adds the required parameters to a parsed solr query. The QueryParser was registered using solrTemplate.registerQueryParser().
Note however that I had to do a really nasty hack to get this working, since all queries that are sent to solrTemplate.queryForPage are wrapped by a static package protected inner class in QueryBase. So my registration code above had to be in a package org.springframework.data.solr.core
Everyone.
I have been trying to create user info saving process, and bumped into this issue.
I wanted to use mysql function password() for password field, but seems no way to use MySQL function when to save data.
Is there any way to do this or simply it s impossible in CakePHP?
Thank you.
TLDR:
$this->data['MyModel']['password'] =
DboSource::expression('PASSWORD('.$password.')');
More Details:
I agree with the commenter that it's not ideal to do what you're asking, but if you really want to, you CAN run a regular MySQL query directly with the query() method. More info here:
http://book.cakephp.org/2.0/en/models/retrieving-your-data.html#model-query
Example:
$this->Picture->query("SELECT * FROM pictures LIMIT 2;");
Or use the method mentioned above in the "TLDR" which allows you to use MySQL functions to process your data.
Different (but recommended) method:
Here is the documentation on how to hash your password the CakePHP way:
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#hashing-passwords
I'm writing a url shortener, I already solve url shortening. Given a certain long URL (LURL), I get a CODE with the help of a script and a database to form a short URL (SURL) of the type:
mysite.com/CODE
So the ralationship between the code and the LURL is stored and must be consulted in the DB. Now as you can see I need a way to do that. My plan is that all the all url in mysite.com direct to the same page where the CODE is taken as a parameter and in this way make a consult in the db fetching the code from the SURL and then redirect with a script to the LURL.
I dont want to generate a SURL that uses a GET request like:
mysite.com/?CODE
It would be easier but I decided not to do it because it defeats the propose of url shorteners by occupying a character unnecessarily.
How would you implement it? Is this method convenient? If you do not think so I would really appreciate you give me your opinion. Maybe there are better ways to do it now that I already have the DB and the shortening algorithm. See you later.
http://www.webcheatsheet.com/PHP/get_current_page_url.php
check out the curPageURL() function.
$pageURL = curPageURL();
$itemArray= explode("/", $pageURL);
$myCode = $itemArray[1];
something like that will do, but not tested. It just gives you an idea of what you can do.
also, to get the url, here is an simplified version: http://phpeasystep.com/phptu/27.html
i'm using Solrj in the dao tier of my application. What i want to know is how can i get
the full query string of the request.
For example: select?q=*:*&fq=active:true
Method SolrQuery.getQuery() only returns the q=XXX part (*:* in my example)
Thx
I don't have the proper environment to test it, but SolrQuery.toString() should get you close enough.