<?xml version="1.0" encoding="iso-8859-1"?> <?xml-stylesheet href="../make-menu.xsl" type="text/xsl"?><html> <head> <this-is section="sql-extension" page="warning-2" subpage=""/> <!-- Generated at 2011-12-09T20:47:22.916Z--><title>Saxonica: XSLT and XQuery Processing: A Warning about Security (SQL injection)</title> <meta name="coverage" content="Worldwide"/> <meta name="copyright" content="Copyright Saxonica Ltd"/> <meta name="title" content="Saxonica: XSLT and XQuery Processing: A Warning about Security (SQL injection)"/> <meta name="robots" content="noindex,nofollow"/> <link rel="stylesheet" href="../saxondocs.css" type="text/css"/> </head> <body class="main"> <h1>A Warning about Security (SQL injection)</h1> <p>The instructions in the SQL extension make no attempt to verify that the SQL being executed is correct and benign. No checks are made against injection attacks; indeed the <code>sql:execute</code> instruction explicitly allows any SQL statement to be executed.</p> <p>Therefore, the extension should be enabled only if (a) the stylesheet itself is trusted, and (b) any text inserted into the stylesheet to construct dynamic SQL statements is also trusted.</p> <table width="100%"> <tr> <td> <p align="right"/> </td> </tr> </table> </body> </html>