SQL injection in Q&A Visual

EmanuelKakuja · ‎11-01-2021

Hi everyone,
While doing testing on one of our reports we uncovered that we can actually perform SQL injection via the Q&A visual .
You can even test this by writting
'or 1=1--
in the Q&A visual of the Power BI sample report offered by Microsoft called "Sales and Returns sample v201912"

Is there a way to stop SQL injections from taking place via the Q&A visual ?

v-chuncz-msft · ‎11-01-2021

v-chuncz-msft · ‎11-02-2021

@EmanuelKakuja

I tried the latest version to test several cases. All seem to be working fine.

EmanuelKakuja · ‎11-09-2021

Hellow ,

thank you for the reply .

I am not sure what you mean by working fine .
I am already using the latest version of desktop Version: 2.98.1004.0 64-bit (October 2021)

So, it take it that it is to be expected to be able to perform SQL injection via the Q&A visual ? ( screenshot bellow) and if so we do not have any way to prevent it ?

I couldn't find any similar cases on the web .
I did find a site where the user was able to perform SQL injection via Power BI parameter
SQL Injection in Power BI Service - Michał Ćwiok (cwiok.pl)

Thank you in advance for your time and help .

@v-chuncz-msft

v-chuncz-msft · ‎11-18-2021

@EmanuelKakuja

If user can perform SQL injection, the result would not be empty.

SQL injection in Q&A Visual

March 2025 Update - Error fetching data for this v...

Desktop Application Bug?? - PBI desktop applicatio...

Previously working Mac calender visual now gives m...

Azure Maps reference layer transparency behaves di...

Azure maps not displaying mapped data points in pu...

Get Fabric certified for FREE!

SQL injection in Q&A Visual

March 2025 Update - Error fetching data for this v...

Desktop Application Bug?? - PBI desktop applicatio...

Previously working Mac calender visual now gives m...

Azure Maps reference layer transparency behaves di...

Azure maps not displaying mapped data points in pu...