Expand my Community achievements bar.

Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!
SOLVED

how does aem prevents sql injection?

Avatar

Level 4

how does aem prevents sql injection?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

View solution in original post

10 Replies

Avatar

Community Advisor

@shikhasoni1 Please refer to below Community URL to get understanding of AEM Security Best Practices:

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-best-practice...

Avatar

Employee Advisor

Avatar

Community Advisor

Please note that JCR SQL injections != RDBMS SQL injections. SQL in JCR is strictly read-only. As far as it is possible to manipulate a query the only risk is information leakage. No data can be manipulated as is the case with RDBMSes.

 



Arun Patidar

Avatar

Level 2

.

Avatar

Correct answer by
Community Advisor

You should be fine, using JCR_SQL2 is read only which means that you can only use the "SELECT" keyword.

Avatar

Level 2

Hi 

How can we prevent blind XPath injection for an AEM page??

 

Thanks

 

Avatar

Level 1

I have got a similar vulnerbility in our latest report. Did you find any solution for this?

Avatar

Community Advisor

Avatar

Level 1

Thanks @arunpatidar for the response. Does this mean we can ignore the critical vulnerbility in our latest report?

Avatar

Community Advisor

Hi @KiranVe1 
Yes, you can't update/write on AEM if you don't have permission, and by design there is only read permission for queries.

So you can ignore it.



Arun Patidar