Archibus Handling SQL in V2024.02+

Historically, the approach to SQL Injection prevention in Archibus has been to do a variety of checks to block known attack patterns, such as keyword checks and ensuring matching delimiters. While this method has been effective for many years, it’s inefficient and increasingly impractical to maintain.

Going forward, we have been and will continue to update software to use parameterized queries and require that all SQL be specified on the server (AXVW, Java). To that end we’ve made changes to some APIs in Java and request that those customizing the software also avoid use of methods that pass SQL from client to server.

The following is documentation of the changes that may impact you, a developer working on an Archibus product.

• Archibus Parameterized Queries - Front End

• DataSource Programming: New Sql Classes - Back End

• DataSource Programming: Usage of new Sql classes with Examples

• DataSource Programming: Insecure APIs and Alternative futures