For a clear understanding, and making sure I make the correct answer, can you please tell me which MIP SDK method you will be using to send the data string to the database?
Is there any sort of input validation done when data strings are sent to database using the MIP SDK?
Hello,
These are some examples of where data can be sent from a plugin to XProtect to be stored in the database:
- SaveItemConfiguration(Guid pluginDefinitionId, Item item)
- Configuration.Instance.SaveOptionsConfiguration(Guid optionsDialogId, bool userPrivate, XmlNode xmlNode)
- VideoOS.ConfigurationApi.ClientService.ConfigurationServiceClient.SetItem(ConfigurationItem item)
- Names of items can be set using the API for example.
- Access control API. Custom door names, event types, etc.
Some of that data may be set by the user in text input fields for example. I’m thinking about SQL injection and other forms of malicious data input by an attacker.
The database is using stored procedures to store these objects and in this way SQL injection is not possible. The database should be safe from malicious data by an attacker using any of the mentioned methods or APIs.
Better understanding your question now and after speaking with the developers I can now answer your original question: No, the data strings are not validated. Please note that it is safe, though not validated, for the reason explained above.
Thank you!
That’s the answer I was looking for, specifically how you protect the database from those kinds of attacks.