is it possible to do SQL Injection in Odata? - odata

Odata has functions like $select or $expand which are for querying data. Now my question is, is it possible to do SQL injection in those function?
If so, how to inject "Time-based" / other SQLi payload to confirm ?
Thank

Related

SAP OData Service Filter is not filtering

I'm learning to get delta data from SAP Fiori sample gateway to Azure SQL by using Azure Data Factory and filter feature on OData service.
I'm using OData Service that exposed by Fiori sample, and one of the table sample is PurchaseOrders.
I tried like this:
$filter=ChangedAt ge datetime '2020-09-08T22:00:00'
But it is still return all the records.
I found sap:filterable is false at metadata
Is that filterable false is made me cannot filter this?
Is there any other way to do delta extraction on OData rather than using filter?
Thank You
As #Boghyon wrote above the "sap:filterable" is just an Annotation, which can help to build the UI. You have to check the DPC_EXT class's GET_ENTITY_SET method of the entity type that you try to filter. If filtering isn't implemented then (1.) in case of standard service you're more or less stuck (it cannot be filtered for a reason) (2.) in case of custom service you can implement filtering

OData Service Definitions - ordering tables in .xsodata file

I'm new in SAP HANA and I'm trying to sort a table in .xsodata file. Is that possible?
Best regards.
There's no option to specify the sorting order in the odata service definition.
Usually, the ODATA client specifies the expected order via the $orderby URL parameter.

When will Breeze support ANY filtering (where predicate on children relationship)?

We have a need to select records based on the value of a related child table's properties. I discovered today that this feature is supported in odata with a keyword called 'any'. Further it's supported in the default breeze server implemention (using entity framework). Using the same server that my breeze client does, I can enter an odata query in a browser using the 'any' keyword and select records on a related child's field value. For example:
.../Issue?$filter=oIssueImages/any(ii: ii/IssueImageRef eq 4)
And it works! But, there is no support for this in the breezejs client code.
FWIW: I found this breeze feature request: https://breezejs.uservoice.com/forums/173093-breeze-feature-suggestions/suggestions/3988038-adding-any-and-all-filter-operators
Anyone know when breeze will implement this feature?
Updated post: 11/25/13
As of Breeze 1.4.6, 'any' and 'all' operators are now supported.
So your client side Breeze query would look something like:
var query = EntityQuery.from("Issue")
.where("oIssueImages", "any", "IssueImageRef", "==", 4);
myEntityManager.executeQuery(query).then(...)
Also see: http://www.breezejs.com/documentation/query-examples
Older post
Please vote it up. This is a really good feature, but we really do try to accommodate those features that get the most votes.

What is the fastest way to get any object JSON from the database to the client without leaving behind opportunities for SQL injection?

What is the fastest way to get JSON from the database to the client without leaving behind opportunities for SQL injection?
I am looking at paging, insert, update, delete, sort, etc... against any table in my schema.
This all depends on what data you are querying.
The fact you are using JSON doesnt have anything to do with sql injection - its more of the calls to the database that would be a concern.
On the server side do not form any dynamic sql.
1. Use stored procedures (and do not include any dynamic sql in a stored proc - if you do make sure you use sp_executesql and not exec, as sp_executesql can take a parameterized query 2. use parameterized queries
3. use an ORM (ex. entity framework) which uses parameterized queries behind the scenes anyways.
try not to use any dynamic sql - if you must for some reason then make sure you use parameterized queries.
then on your result from your controller simply return
return Json(yourModel);

Entity Framework 4: Math.Sin()-function

is there an possibility to call the Math.Sin()-function in a Linq To Entites (Entity Framework 4) -Query?
I've read, that the current Entity Framework 4 doesn't implement this function.
Maybe there's a workaround to this solve problem?
(I don't want to invite all entries in the memory.)
Thanks and best regards
Several functions that (usually) have obvious SQL counterparts, like Math.Sin can't be used directly in Entity Framework queries. Presumably this is because they can't be reliably translated to different SQL implementations. A ton of MSSQL-specific functions are, however, exposed as static methods in the class System.Data.Objects.SqlClient.SqlFunctions. They throw exceptions if you call them directly, but are translated into the proper SQL if used in a LINQ query.
See this blog post about the magic that's happening under the covers (namely the EdmFunction attribute).
It is certainly possible to use such function starting with EF4. In EF4, EF team introduced SqlServer functions that can be consumed in linq. You should alway consider using canonical functions cuz they are database agnostic and every vendor should convert those functions to store specific equivalent. However when such functions are not available, you can resort to SqlServer namespace (ESQL) or SqlFunctions for linq
from l in db.Locations
select SqlServer.Sin(l.Latitude) + SqlServer.power(l.Longitutde)
I cover several of these options in my functions chapter in my book. Specifically you can look at 11-10 recipe Calling database function in esql
11-11 Calling Database Function in LINQ
Unfortunately it's impossible to call Math.Sin in a LinqToEntities query (or Entity SQL query).
The only way to accomplish this without resorting to retrieving all objects first, is to write a SQL query that does what you want and call it via ObjectContext.ExecuteStoreQuery. This isn't as bad as it sounds because you can still get back typed results.
EDIT: After reading the other answers, it appears that it is possible to call these types of functions (SqlFunctions contains 44 functions with various overloads). I leave my original answer as is because it's another way of achieving the same result.

Resources