none
DASL Query Security RRS feed

  • Question

  • Hi,

    We are using DASL query to filter mail items, for example; according to messageId or subject. 

    A sample DASL query which we are using is;

    "@SQL= " + "http://schemas.microsoft.com/mapi/proptag/0x0037001E" + " = " + " LIKE  "+ "'%" + obj.subject+ "%'";

    "obj" object has "subject" property and subject property is string and we are getting subject value from user.

    My questions are;

    1- DASL query vulnerable for SQL Injection ? İf vulnerable, how can we parametrize the DASL query ? 

    2- If not vulnerable, i wonder how can DASL Query prevent this vulnerability ? 

    Thanks in advance

    Thursday, March 5, 2020 7:59 AM

All replies

  • You should always quoted special characters, which means all single quote (') and backslash (\) characters must be prefixed with \

    Dmitry Streblechenko (MVP)
    http://www.dimastr.com/redemption
    Redemption - what the Outlook
    Object Model should have been
    Version 5.5 is now available!

    Friday, March 6, 2020 12:19 AM