Web Core + XData '&' Character complication


In my Web Core application, I have a TWebButton. Clicking this button triggers the following OnClick event with the Post-Method:

myWebXClient.RawInvoke('IMyService.MyQuery', ['INSERT INTO... VALUES(''&456'')'],@MyInternalExec, @OnError);

Server-side, I can see in the console log that such a request is made:

'EXEC SP_xxx ...,...,...,N''&456'',...'

However, in the SQL Server table, the value is empty.

Manually inserting that same value ('&456') directly into SQL doesn't result in an error. After manually inserting this value I can retrieve and see it in my Web Core application without any problem.

Every character AFTER the '&' character, including the '&' itself, becomes blank. So, trying to insert the value '123&456' results in '123' only.

What might be the reason for this problem?

Kind regards.

If the SQL Server indicates that the SQL is being executed correctly (the content you sent), then I can assume Web Core side is not the problem.
Maybe you can try to execute the exact SQL directly using your XData code in a regular application and see how it goes.
As a side note, what you are doing is a huge security issue, I hope your system is not sensitive to security.


The console log that I was talking about is where my XData server is. In this console log, I can see that the Client Application sent the correct SQL query, so I also think that Web Core is not the problem. My problem is about the part after the point that the request reaches my XData Server.

So, the value reaches the XData server application correctly. But, it isn't inserting this value: the value which came from the Web Application. Instead, it inserts a blank value (''). That's why I suspect that XData is malfunctioning during the final phase. I might be wrong though. Maybe I didn't fully understand what you were trying to explain.

About your side note, my description of the project was a simplified one. But it still works in a similar way, and security is probably the number one priority. So could you please elaborate on the matter? How can I tighten up the security of the project? If you could point me to the right direction I can pick it up from there. We can also continue through e-mail if you want.

Kind regards.

Try to isolate the problem. Log the content of the parameter received in your service operation. If it's correct, then just forget about Web Core and XData and try to execute that service operation code with the passed parameters and see if it works.

Just general concept. Allowing clients to execute arbitrary SQL statements is a security issue. Once they have credentials to your server by stealing some password or token, they can damage your entire database.

And even if they do not have access, you are not sanitizing user input by injecting it directly in your SQL. This is an SQL injection issue.