Skip to main content

PREVENTING SQL INJECTION ATTACKS

Xano offers some filters to help ensure that any dynamic / user input is not parsed in a way that might harm your database or cause other unintended consequences.Make sure to process your inputs before they are used in any SQL queries with the appropriate filter.These filters are sql_alias and sql_esc
1

When using the Direct Database Query function, click SQL Assistant to access the AI SQL assistant.

The assistant can help you write queries against your Xano database.
2

Provide the assistant with the query you would like it to build.

3

Once complete, the assistant will present you with the query, along with an explanation of how it works and some records that satisfy the query.

4

If the query returns the expected results, click Update SQL. Otherwise, you can ask the assistant to make any desired modifications or fixes.

You can also make your own modifications to the query, such as adding ? characters to represent dynamic values.