SQL Injection Risks in FileMaker

Beginner

Understand how ExecuteSQL and the Data API can be exploited through unsanitized input, and how to prevent it.

What you'll learn

  • How SQL injection applies to FileMaker's ExecuteSQL
  • Safe parameter binding in ExecuteSQL
  • Sanitizing Data API find requests
  • Script-based input validation as a defense layer

FileMaker solutions are not immune to SQL injection. ExecuteSQL() with user-supplied input, Data API find requests that include unsanitized values, and calculation fields that construct query strings are all potential injection surfaces. The prevention is the same as in any other environment: never concatenate user input into a query string.

1/4
1

The ExecuteSQL injection surface

ExecuteSQL() concatenates a SQL string. If you build that string using user-supplied input without sanitization, an attacker can craft input that changes the query's meaning.

FileMaker Script
// DANGEROUS: user input directly in SQL string
ExecuteSQL ( "SELECT Name FROM Contacts WHERE Status = '" & $userInput & "'"; "" ; "" )

// If $userInput = "active' OR '1'='1'
// Query becomes: WHERE Status = 'active' OR '1'='1'
// Returns ALL records regardless of Status
Data API Security Best PracticesField-Level Encryption for Sensitive Data

Sign in to track your progress and pick up where you left off.

Sign in to FM Dojo