Home
Analytics
Security and birt
vmlinux
I'm writing up a study for my company to compare birt, jasper reports, and our current e.Report designer product. I'm rewriting a report in each to get an idea of what we are going to be dealing with, and I'll make a recommendation to the uppers on what to migrate from erd pro to.
Most of our reports need to allow customers to list ID numbers in a list, and I've looked at the in_clause.rptdesign example, and I think I could make it work for me, however I'm concerned about SQL injection checking. Is there anything in Birt that checks for server side scripting on parameter strings, or SQL injections on parameters, or would I have to write something to do that, or do all the checking in java script?
I know in erd pro if you parametrize the string then it is checked, but if you insert it into your where clause then you open yourself up to attack if there is no additional checking on the string.
Thank you
David Carroll
Find more posts tagged with
Comments
mwilliams
David,
You'll have to do your checking of the parameter in your scripting. You can just do this where you write the script for the IN clause.
vmlinux
That's what it looked like to me, but I wanted to be sure. Is there any way to call an external routine that I write to do this using that java script? The reason I ask is that we have hundreds of reports that are going to be rewritten, and I would rather not leave it up to chance that something gets done wrong in the custom code in the where clause. I'm more than willing to fully document how I go about this, and share that documentation, but it seems to me it would be better to have that separate so if a new attack is identified you can change the code in one place instead of going through the QA process again with hundreds of reports.
vmlinux
Sorry to reply to self, but I think I found the answer in the faq <br />
<br />
(<a class='bbc_url' href='
http://wiki.eclipse.org/index.php/BIRT/FAQ/Scripting#Q:_Can_I_add_custom_logic_.28scripting.29_to_my_report.3F)'>BIRT/FAQ/Scripting
- Eclipsepedia</a>.<br />
<br />
Q: Can BIRT access existing Java code or objects?<br />
<br />
Yes. BIRT uses the Mozilla Rhino JavaScript engine which provides excellent integration with Java. See the Mozilla Rhino Scripting Java article for information about how to call Java from JavaScript.
mwilliams
David,
Answering yourself is always ok!
Good luck.
