Article - CS355016
Control mechanisms used by Thingworx Foundation to prevent SQL injection attacks
Modified: 03-Dec-2025
Applies To
- ThingWorx Platform 8.0 to 9.7
Description
- What are the control mechanisms for ThingWorx Foundation to avoid SQL Injection attacks
- Are there any SQL injection countermeasures in ThingWorx Foundation
- When a value entered in a text field of a ThingWorx Mashup widget is used as part of an SQL statement, is it treated as a simple string?
- With SQL input parameters, it is possible to pass attacker code which causes security issues
- For example, customer uses below SQL statement
select * from thing_model where name = <<name>>
- It is possible to generate a SQL Injection attack by specifying an OR syntax and adding drop/delete command to the SQL
select * from thing_model where name ='aaa' OR 1=1; drop table xxx
This is a printer-friendly version of Article 355016 and may be out of date. For the latest version click CS355016