Hitachi Vantara Pentaho Community Forums
Results 1 to 4 of 4

Thread: SQL Injection in Pentaho Reporting

  1. #1

    Default SQL Injection in Pentaho Reporting

    Hi all,

    I have a report based on an SQL query which contains an "in" expression which receives a list as a parameter. However, it's possible that the client passes an SQL query in the parameter, and Pentaho doesn't give any exception !
    Is it possible to configure any sort of validation, in the action file for example? I can't use Secure Filter because my application calls Pentaho directly through HTTPClient. Besides this, Secure Filter just creates an input page.

    Thanks in advance.

  2. #2
    Join Date
    Mar 2003


    The reporting engine itself only supports Prepared-Statements, which are immune to any SQL injection.

    So I assume you are talking about the XActions. In XActions, there are two ways to define parameters. One is a simple string replacement, allowing you to even rewrite the SQL query and the other is to use Prepared-parameters which get mapped into Prepared-statements (and therefore are also safe from Injections).

    The general rule is: If you use plain parameters, then you are open to everything unless you validate the parameters with a "SecureFilterComponent" (or any other validation rule). The plain parameters have their uses in the more advanced scenarios, but in most cases, you should use prepared statements or at least a SecureFilterComponent before you do a query.

    With great power comes great responsibility

    PS: I'm moving this to the BI-Server section, as this is not related to the reporting engine at all.
    Get the latest news and tips and tricks for Pentaho Reporting at the Pentaho Reporting Blog.

  3. #3


    Hi Taqua,

    is it possivle to set validation rules in Eclipse Design Studio interface? With Secure Filter, for example, the window only allows you to specify the name of the parameters (Prompt for) and the prompt style.


  4. #4

    Default Passing Locale variable to XAction file...

    Hi Taqua,

    I want to pass Locale variable from my application and make them to select appropriate properties file. Can u tell me how can i pass Locale variable as dynamic param to XAction file?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.