For requests or help with our API
-
graham_mueller
- Posts: 38
- Joined: Fri Jan 19, 2024 10:57 am
Post
by graham_mueller » Tue Oct 15, 2024 9:48 am
A weird, random thing we ran into today. A user searched for a patient named Carole...
I thought surely I must have made a mistake somewhere and that it wasn't that, but searching "Caole" (or something real, like John) works fine.
This is from a call to the ShortQuery endpoint, the query is
Code: Select all
SELECT COUNT(*) as count
FROM patient
WHERE PatStatus NOT IN (3, 4)
AND (
CONCAT(TRIM(FName), ' ', TRIM(LName)) LIKE '%carole%'
OR Email LIKE '%carole%'
OR HmPhone LIKE '%carole%'
OR WkPhone LIKE '%carole%'
OR WirelessPhone LIKE '%carole%'
)
-
SLeon
- Posts: 553
- Joined: Mon Mar 01, 2021 10:00 am
Post
by SLeon » Tue Oct 15, 2024 10:43 am
Good morning. The Open Dental API screens all payload queries in Queries POST and Queries PUT ShortQuery request to be read-only (or on temp tables). It also screens out SQL actions that are inappropriate to perform via the API, such as the SLEEP command.
The reserved word "ROLE" is used to view, create, or revoke permissions for mysql users. Naturally, this is inappropriate to perform via the API. The word "ROLE" is used with the keywords "CREATE", "DROP", "SET", or "RESET". Because those keywords are allowed on temp tables, we added "ROLE" to our list of forbidden words. Additionally, it is designed this way because it can't effectively screen "CREATE ROLE" or "CREATE /*comment*/ ROLE" without looking for just "ROLE".
-
graham_mueller
- Posts: 38
- Joined: Fri Jan 19, 2024 10:57 am
Post
by graham_mueller » Tue Oct 15, 2024 11:06 am
I understand the limitations of your query API, but if you're going to search for the text "role," could you at least make it "freestanding," prefixed by a non-word character or something sane to prevent this sort of failure? This behavior is different for (eg) SET, searching for a patient named Seth or Rosette does not have the same problem.
-
graham_mueller
- Posts: 38
- Joined: Fri Jan 19, 2024 10:57 am
Post
by graham_mueller » Tue Oct 15, 2024 11:14 am
Heck, I can run that query with just the word CREATE, DROP, or SET and it works. It only fails with ROLE.
-
SLeon
- Posts: 553
- Joined: Mon Mar 01, 2021 10:00 am
Post
by SLeon » Tue Oct 15, 2024 11:40 am
I realize failed to mention in my last post that I intended too further look into our screening logic to see what we can (safely) do. I will update this thread when I do. However, it is lower priority than API Feature Requests.
-
jordansparks
- Site Admin
- Posts: 5755
- Joined: Sun Jun 17, 2007 3:59 pm
- Location: Salem, Oregon
-
Contact:
Post
by jordansparks » Mon Oct 21, 2024 7:06 am
Our filter needs to be better. It should use regular expressions to ignore those keywords if present inside of quotes.
