Hello,
im currently creating a small velocity macro that displays the next X calendar events. I want to add an whitelist type selection to the Macro from which spaces the calendar events shall be shown.
Currently I have an parameter (without defined type) where multiple spaces can be put into, seperated by an semicolon.
This gets splitted into an array and foreach $calendarSpace in the $array the $query get longer by adding or kalender.endDate > :date and doc.space like ${simpleQuotes}${calendarSpace}%${simpleQuotes}
This all then gets executed with $services.query.xwql($query).bindValue('date', $datetool.toDate($datetool)).setLimit($anzahl).execute()
The problem with this is obvoisly, that it is highly vulnerable to sql injections through putting bad things into the macro parameters. Simply deleting or escaping characters from the input is not viewed as secure as far as im aware of (im not an SQL expert).
As far as I understand, using .bindValue(…) to the query like I already use for the current date time is a safe way, as anything in it is handled as an value no matter what characters it contains and this prevents SQL injections.
Is this understanding correct?
And does somebody have an idea, how I can make such an query dynamic and add additional binds with the array values dependent of the array size?
I thought of using the array and .bindValue(…) with a list with in (:myList) like in Query API (XWiki.org) but according to Combining “LIKE” and “IN” for SQL Server - Stack Overflow LIKE and IN can’t be combined. 