Rest - does it prevent sql injection?

**Sin OB** · 2011-11-23, 09:26 AM

I am using JavaScript JQuery to directly pull data from Sugar via the REST interface to an external system. So far this is working very well.

My question is; does SugarCrm perform any data sanitation on the rest_data that I am sending in when getting information from the API. I want to make sure there is no risk of SQL injection to sugar using a direct JavaScript solution.

So, lets say I have the following JavaScript and I pass this to the REST server as part of a request to get_entry_list.

Code:

var rest = {"session":session_id, 
            'module':'Products',
            'query':'products.account_id = "'+account_id+'" and products.status="Ship"',
            'order_by':'',
            'offset':'0',
            'select_fields':new Array('name','id', 'available_to_all_c', 'book_value','description'),
            'max_result':'50',
            'deleted':'false'};

The account_id above is dynamic based on user input. Will the API on SugarCrm side perform any sanitation to catch any malicious code before it hits the database?

The last reference I have found to this was the following thread in 2009 that appears to indicate that it does not perform any checking. See http://www.sugarcrm.com/forums/f154/...71/index2.html - post 12, I'm hoping that this is no longer the case?

**Sin OB** · 2011-12-06, 11:59 AM

I haven't found anything on the sugar side to indicate that it performs any checking/sanitation.

Yikes.

Solution: Avoid direct JavaScript call to SugarCrm API. For safety I've implemented a server side wrapper to clean up any user inputs before shooting the query off to the SuarCrm API.