Skip to main content

I'm running a workbench which contains several SQLExecutors that queries an Azure SQL database. When running the workbench we get an alert from Microsoft Defender for Cloud saying that "An application generated a faulty SQL statement on database XXX. This may indicate that the application is vulnerable to SQL injection".

 

When looking into the case, I can see that the query raising this warning is from FME:

 

SELECT * INTO #fme_tempAdoDataTypeTable_spatialReader FROM ( select CustomerID, Name, PostAddress_Address1 from Customer where UPPER(RName]) = 'Hans Hansen' and UPPER(PostAddress_Address1) = 'Gates' vei 69' ) AS customQuery WHERE 1=0

 

Does anyone now why this warning occurs? Is it normal that FME triggers these?

'Gates' vei 69' looks to be faulty.

 

Aside from this: both UPPER((Name]) = 'some string with lowercase characters' and UPPER(PostAddress_Address1) = 'some string with lowercase characters' will never return any results, but those are not a syntax errors.


Reply