From f81b9bad9c31f946b017ff47de3166df3d6fde74 Mon Sep 17 00:00:00 2001
From: eiffel-org <eiffel-org@abb3cda0-5349-4a8f-a601-0c33ac3a8c38>
Date: Fri, 3 Feb 2017 18:24:09 +0000
Subject: [PATCH] Update wikipage Defending against SQL injections with
 EiffelStore.	(Signed-off-by:javier).

git-svn-id: https://svn.eiffel.com/eiffel-org/trunk@1775 abb3cda0-5349-4a8f-a601-0c33ac3a8c38
---
 .../EiffelStore-SQL-injection.wiki            | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki b/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki
index 71d828e6..936a0b96 100644
--- a/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki
+++ b/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki
@@ -37,3 +37,22 @@ To avoid SQL Injections you will need to map variables names to values using the
 * Queries returning a result will need to use: <code>DB_SELECTION</code>
 * Queries updating the database (Insert, Update, Delete) will need to use: <code>DB_CHANGE</code>
 
+The following example shows an attempt to do an SQL Injection attack, but as we are using EiffelStore API to bind the parameters the unsafe data will be escaped.
+
+<code>
+	safe_query
+		local
+			l_connection: DATABASE_CONNECTION
+			db_selection: DB_SELECTION
+			l_query: STRING
+		do
+			...	
+			create db_selection.make
+			db_selection.set_query ("SELECT * FROM new_users where datetime = :datetime")
+			db_selection.set_map_name ("\''; DROP TABLE new_users; --", ":datetime")
+			db_selection.execute_query
+			db_selection.unset_map_name (":datetime")
+                        ....
+		end
+<code>
+