Firewall Blocking Requests with searchParams: Security Concerns and Best Practices

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • samo-9
    Junior Member
    • Dec 2024
    • 1

    Firewall Blocking Requests with searchParams: Security Concerns and Best Practices

    Hi,

    I recently encountered an issue where a request to the EspoCRM API using searchParams was blocked by the firewall. This has raised concerns about the security implications of using searchParams.

    What are the potential risks associated with searchParams, such as SQL injection, improper input validation, or data exposure? How does EspoCRM handle these risks through its ORM framework or other built-in security measures to ensure the safety of queries? Furthermore, what best practices should developers follow to prevent such requests from being flagged or exposing vulnerabilities?

    Any advice or guidance would be greatly appreciated!

    Best,
  • yuri
    Member
    • Mar 2014
    • 8453

    #2
    Hi,

    Database queries are generated by a separate layer (the query composer in ORM). We don't use any raw query in all our codebase including extensions. There were no SQL injection reports since the beginning (unlike some other systems built in 2000s where SQL injections were discovered every month).
    If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

    Comment

    • yuri
      Member
      • Mar 2014
      • 8453

      #3
      > Furthermore, what best practices should developers follow to prevent such requests from being flagged or exposing vulnerabilities?

      I believe it was flagged because of a GET parameter called 'select'.
      If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

      Comment

    Working...