<?xml version="1.0" encoding="iso-8859-1"?>
<?xml-stylesheet href="../make-menu.xsl" type="text/xsl"?><html>
   <head>
      <this-is section="sql-extension" page="warning-2" subpage=""/>
      <!--
           Generated at 2011-12-09T20:47:22.916Z--><title>Saxonica: XSLT and XQuery Processing: A Warning about Security (SQL injection)</title>
      <meta name="coverage" content="Worldwide"/>
      <meta name="copyright" content="Copyright Saxonica Ltd"/>
      <meta name="title"
            content="Saxonica: XSLT and XQuery Processing: A Warning about Security (SQL injection)"/>
      <meta name="robots" content="noindex,nofollow"/>
      <link rel="stylesheet" href="../saxondocs.css" type="text/css"/>
   </head>
   <body class="main">
      <h1>A Warning about Security (SQL injection)</h1>
      <p>The instructions in the SQL extension make no attempt to verify that the SQL being executed
is correct and benign. No checks are made against injection attacks; indeed the <code>sql:execute</code>
instruction explicitly allows any SQL statement to be executed.</p>
      <p>Therefore, the extension should be enabled only if (a) the stylesheet itself is trusted, and (b)
any text inserted into the stylesheet to construct dynamic SQL statements is also trusted.</p>
      <table width="100%">
         <tr>
            <td>
               <p align="right"/>
            </td>
         </tr>
      </table>
   </body>
</html>