-
Type:
Bug
-
Status: Closed
-
Priority:
Medium
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Platform
-
Labels:None
-
Module:BenAdmin
-
Reported by:Harbinger
-
Item State:Production Complete - Closed
-
Issue Importance:Good To Have
Getting Server error: Admin User page
1]add User ID:Single quote:
2]Click on save button
3]Getting Server error
Refer attached screen shots:
below is error Log:
ErrorID : 0
ErrorSource : ControllerAppTier.GetData->WORKTERRAControllerAppTier.GetData->AdminUser.GetData->AdminUser.GetAdminUserForGivenName->CommonBusinessRoutines.GetSingleValue
ErrorMessage: Incorrect syntax near 'Donald'.
Unclosed quotation mark after the character string ' AND Users.SystemUserID = SystemUsers.ID '.
StackTrace: at WORKTERRA.Shared.WORKTERRAControllerAppTier.GetData(WORKTERRAControllerWebTierEntity objWORKTERRAControllerWebTierEntity)
at WORKTERRA.ControllerAppTier.GetData(Int32 intProjectsId, String strInput)
TargetSite: System.String GetData(WORKTERRA.Shared.WORKTERRAControllerWebTierEntity)
Verified on Lb Environment.
For admin user with Single quote In USER id is successfully saved.
also check by login to the system.
working fine
Verified on Stage Environment.
For admin user with Single quote In USER id is successfully saved.
also check by login to the system.
working fine
Hi Rashmita Dudhe,
I guess you attached some different JIRA ticket image in this ticket.
Please confirm.
CC: Samir, Vijay Siddha, Rakesh Roy
Hi Rashmita Dudhe,
When we enter single quote in username, while checking if that user already exists in system or not, it was throwing an error during query execution.
We have fixed this issue. Code has been checked in into LB.
Prasad Pise,
Can we try sql injection on this username input of Partner/Broker page and Admin page?
Thanks.
CC: Samir, Vijay Siddha, Rakesh Roy, Satya