Countermeasures against SQL injection

InterSystems FAQ rubric

Countermeasures against SQL injection have been published on various websites, but we believe that it is possible to prevent SQL injection in applications using InterSystems SQL as well as other RDBMS by implementing these countermeasures appropriately. In addition, InterSystems Data Platform (hereinafter referred to as IRIS) incorporates several measures that make SQL injection more difficult than general RDBMS.

1. InterSystems SQL does not allow multiple SQL statements to be executed in a single request, so the technique of adding a malicious command as input after a semicolon (;) cannot be used.  
2. IRIS offers not only SQL access but also object access. By implementing update processing with object access and prohibiting update processing by SQL statements for general users, it is possible to prevent tampering of the database unexpectedly by the application due to SQL statement injection.  
3. CSP,  which is IRIS's web technology, can encrypt all URL query strings, so it is challenging to use techniques such as obtaining clues for injection from query strings.  
4. The IRIS security model allows you to grant database access to applications, not just users. And users can be restricted to read and write access to the database, with only permissions to run the application.  

These further reduce the opportunity for malicious users to directly access the database itself.