Is WebIQ vulnerable to SQL Injection attacks?

Is WebIQ vulnerable to SQL Injection attacks?

What is SQL Injection?

According to the Web Application Security Consortium Glossary, SQL Injection is:

"An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input."

http://www.webappsec.org/glossary.html#SQLInjection

Is WebIQ vulnerable to SQL Injection attacks?

No.

The ImageQuest system uses a proprietary language for querying stored documents.  This language is referred to as ImageQuest Query Language or IQQL.  The language has a very similar look and feel to the WHERE clause in an SQL statement and therefore could easily be mistakenly identified as a possible exposure to SQL Injection attacks.

When a search is performed from WebIQ the system generates the appropriate IQQL statement based on the information provided by the user in the search criteria form.  This IQQL statement is then provided to the subsequent ASPX page via the URL in what is referred to as the Query String.

Here is an example of an IQQL statement generated by WebIQ:

([DocumentType] = 'MFP Scan') AND ([PageCount] = 5)

This IQQL statement is passed on the URL as follows: 

http://server/webiq/results.aspx?searchcriteria=(%5bDocumentType%5d+%3d+'MFP+Scan')+AND+(%5bPageCount%5d+%3d+5)

IQQL statements are parsed by the ImageQuest engine in order to create the appropriate underlying SQL SELECT statement to query the database.  There are no data changing commands that are recognized as valid IQQL syntax so an attempt to inject those commands will cause an exception during the parsing process and result in no action being taken on the database.  Also, regardless of the IQQL statement provided on the URL the document security associated with the current user is always upheld by the ImageQuest engine which protects the data from a user attempting to gain access to information they are not allowed to see.  For example, the user could change the IQQL in the URL to ([DocumentType] = 'Invoice') but if they are not allowed access to the Invoice document type, then no documents will be returned.