Skip to main content
Question

Why does Microsoft Defender for Cloud raise a warning when an SQLExecutor is run on an Azure SQL-database?

  • April 11, 2022
  • 1 reply
  • 87 views

torbjornd
Contributor
Forum|alt.badge.img+4

I'm running a workbench which contains several SQLExecutors that queries an Azure SQL database. When running the workbench we get an alert from Microsoft Defender for Cloud saying that "An application generated a faulty SQL statement on database XXX. This may indicate that the application is vulnerable to SQL injection".

 

When looking into the case, I can see that the query raising this warning is from FME:

 

SELECT * INTO #fme_tempAdoDataTypeTable_spatialReader FROM ( select CustomerID, Name, PostAddress_Address1 from Customer where UPPER([Name]) = 'Hans Hansen' and UPPER(PostAddress_Address1) = 'Gates' vei 69' ) AS customQuery WHERE 1=0

 

Does anyone now why this warning occurs? Is it normal that FME triggers these?

1 reply

geomancer
Evangelist
Forum|alt.badge.img+47
  • Evangelist
  • April 12, 2022

'Gates' vei 69' looks to be faulty.

 

Aside from this: both UPPER([Name]) = 'some string with lowercase characters' and UPPER(PostAddress_Address1) = 'some string with lowercase characters' will never return any results, but those are not a syntax errors.


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings