SQL injection in Q&A Visual

EmanuelKakuja · ‎11-01-2021

Hi everyone,
While doing testing on one of our reports we uncovered that we can actually perform SQL injection via the Q&A visual .
You can even test this by writting
'or 1=1--
in the Q&A visual of the Power BI sample report offered by Microsoft called "Sales and Returns sample v201912"

Is there a way to stop SQL injections from taking place via the Q&A visual ?

v-chuncz-msft · ‎11-01-2021

v-chuncz-msft · ‎11-02-2021

@EmanuelKakuja

I tried the latest version to test several cases. All seem to be working fine.

EmanuelKakuja · ‎11-09-2021

Hellow ,

thank you for the reply .

I am not sure what you mean by working fine .
I am already using the latest version of desktop Version: 2.98.1004.0 64-bit (October 2021)

So, it take it that it is to be expected to be able to perform SQL injection via the Q&A visual ? ( screenshot bellow) and if so we do not have any way to prevent it ?

I couldn't find any similar cases on the web .
I did find a site where the user was able to perform SQL injection via Power BI parameter
SQL Injection in Power BI Service - Michał Ćwiok (cwiok.pl)

Thank you in advance for your time and help .

@v-chuncz-msft

v-chuncz-msft · ‎11-18-2021

@EmanuelKakuja

If user can perform SQL injection, the result would not be empty.

SQL injection in Q&A Visual

Error when connecting to Azure Open AI Service fro...

Filled Map wrong country code mapping

Issue: dataflow gen2 created in subfolder or with ...

Workbook not opening in desktop despite being down...

PowerBi Service - Workspace folder name validation...

Join us at the 2025 Microsoft Fabric Community Conference

SQL injection in Q&A Visual

Error when connecting to Azure Open AI Service fro...

Filled Map wrong country code mapping

Issue: dataflow gen2 created in subfolder or with ...

Workbook not opening in desktop despite being down...

PowerBi Service - Workspace folder name validation...