EXPORTMI error message in API flow "The query contains suspected SQL injection parts"

Kirill Kuchumov

Hi,

I built API flow with input body.

There is only one API EXPORTMI in the flow.

API testing return "The query contains suspected SQL injection parts" error.

Interesting thing - when I do the same with API flow input parameters instead of body, it works fine.

Has anyone encountered same issue?

Regards

Kirill

Find more posts tagged with

ION API Gateway

Accepted answers

All comments

Legacy Contributor

Hi Kirill,

I have tried the same in EXPORTMI - Select transaction with the same query its working fine. What is the transaction you are using?

Thanks,

JoseR

Kirill Kuchumov

Hi Jose,

I exported API flow, xml file is below

Kirill Kuchumov

Customer_Search_test KK 2022-07-12 04:50:51.963 1 2 {"productName":null,"productLogicalid":null,"method":"POST","path":"CustomerSearch/test","proxyPath":"CustomerSearch","restPath":"test","endpointName":"Customer","resourceName":"Search","description":null,"inputContentTypes":["JSON"],"outputContentTypes":["JSON"],"inputParameters":[{"name":"RBody","description":"","type":"BODY","dataType":"string","required":true,"schema":"{
"custName": "string",
"phone": "string"
}","example":"{
"custName":"Coast To Coast Freight",
"phone":"555-123-4567"
}","value":null,"path":null}],"inputContentType":"JSON","outputContentType":"JSON","outputParameters":[{"name":null,"description":null,"type":"BODY","path":null,"value":"{
"OKCUNM" : "${input.RBody}.custName",
"OKPHNO" : "${input.RBody}.phone",
"RecCountBody" : "${RecCount.Body}"
}"}]} {"$_InternalApiFlowReservedKeys_status":"200"} 0 START_END 0 SEQUENTIAL_FLOW 0 RecCount ION_API {"productName":"Infor M3","productLogicalid":"infor.m3","method":"GET","path":"M3/m3api-rest/v2/execute/EXPORTMI/Select","proxyPath":"M3/m3api-rest/v2/execute/EXPORTMI","restPath":"/Select","endpointName":null,"resourceName":null,"description":null,"inputContentTypes":[],"outputContentTypes":["JSON"],"inputParameters":[{"name":"QERY","description":"Query statement(982)","type":"QUERY","dataType":"string","required":true,"schema":null,"example":null,"value":"count(*) from OCUSMA where OKCUNM = '${input.RBody}.custName'","path":null},{"name":"SEPC","description":"Separator character or blank for flat file(1)","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"HDRS","description":"Include headers, 1 or 0 or blank(1)","type":"QUERY","dataType":"number","required":false,"schema":null,"example":null,"value":"0","path":null},{"name":"cono","description":"The company context to use. Defaults to user default","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":"100","path":null},{"name":"divi","description":"The division context to use. Defaults to user default","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"lanc","description":"The language code to use. Defaults to user default","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"locale","description":"The locale to use","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"timeZone","description":"The time zone to use","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"maxrecs","description":"Max number of records returned. 0 is unlimited","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":"","path":null},{"name":"dateformat","description":"Date format to use","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"excludeempty","description":"When true, empty fields are omitted in response","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"righttrim","description":"When true, all values are right trimmed in response","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"returncols","description":"A comma separated list of column names that should be included in the response. Defaults to all columns","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null},{"name":"format","description":"Controls output JSON format","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":"","path":null},{"name":"extendedresult","description":"Show transaction parameters in the response","type":"QUERY","dataType":"string","required":false,"schema":null,"example":null,"value":null,"path":null}],"inputContentType":null,"outputContentType":"JSON","outputParameters":[{"name":"Body","description":null,"type":"BODY","path":null,"value":null}]}

Kirill Kuchumov

here is screenshots

API flow test result

here is API call in the flow

API call test

antonio-caria

that is new...

Legacy Contributor

Hi @kirill-kuchumov

EXPORTMI is another M3 MAK program that extracts the table values upon what is given in the (QERY) query parameter, It also checks for the list of keywords used in the QERY parameter of the MI. Below is the code that throws the error "The query contains suspected SQL injection parts".

These words are not allowed to use in the QERY.

if(check.contains("select ") || check.contains("delete ") || check.contains("drop ") || check.contains("insert ") ||
check.contains("exec ") || check.contains("update ") || check.contains("alter ") || check.contains("create ") ||
check.contains("truncate ") || check.contains("into ") || check.contains(";") || check.contains("") ||
check.contains("0x") || check.contains("%") || check.contains("/*")) {

KQLOG.W("EXPORTMI query: " + query);
MICommon.setError("", "CPF9898", toMvxString("The query contains suspected SQL injection parts"));
return -2L;
}

Copyright © 2025 Infor. All rights reserved.