web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Automate / How to prevent SQL Inj...
Power Automate
Unanswered

How to prevent SQL Injections when using Power Apps & Power Automate Flows?

(0) ShareShare
ReportReport
Posted on by slothfulwave612 4

Let me give you some context regarding my problem.

I have developed a Power App that contains a gallery. This gallery has the following fields: Product Name, Product Description, and Product's Objective. The users can come and add a new row and fill in the values for these fields or can update what's existing. The data is stored in a SQL database.

Let's pick an example of updation. Let's say a user comes and wants to update the description and objective. They can type in the input fields and then click the submit button. Now, in the submit button, I am not using the Patch or UpdateIf functions but a Power Automate Flow to update the data in the SQL table. We have this 'Execute SQL Query (v2)' connector in Power Automate that I am using here (the trigger being Power Apps). My major concern here is how can I prevent SQL Injection attacks. The submit button OnClick script looks something like this:

 

 

Concurrent(
 ClearCollect(
 ModifiedRows, 

 Filter(
 product_gallery.AllItems,
 Value(gallery_is_modified.Text) = 1 // gallery_is_modified is a gallery element
 )
 ),

 Clear(UpdateStatements)
);

// concat all update statements
ForAll(
 ModifiedRows As modified_rows,

 With(
 {
 product_name_val: If(
 modified_rows.gallery_product_name.Text in [Blank(), ""],
 "NULL",
 "'" & Substitute(modified_rows.gallery_product_name.Text, "'", "''") & "'"
 ),
 product_description_val: If(
 modified_rows.gallery_product_description.Text in [Blank(), ""],
 "NULL",
 "'" & Substitute(modified_rows.gallery_product_description.Text, "'", "''") & "'"
 ),
 product_objective_val: If(
 modified_rows.gallery_product_objective.Text in [Blank(), ""],
 "NULL",
 "'" & Substitute(modified_rows.gallery_product_objective.Text, "'", "''") & "'"
 )
 },

 Collect(
 UpdateStatements,
 {
 Text: "
 UPDATE
 ProductTable
 SET
 product_name = " & product_name_val & ",
 product_description = " & product_description_val & ",
 project_lead_product_objectives = " & product_objective_val & "
 WHERE
 id = " & modified_rows.id & ";
 "
 }
 )
 )
);

If(
 CountRows(ModifiedRows) > 0,
 ExecuteSQLQuery.Run(
 "
 BEGIN TRANSACTION
 " & 
 Concat(
 UpdateStatements, 
 Text & " 
 "
 ) &
 "
 COMMIT TRANSACTION
 "
 )
);

// ... rest of the script

 

 

 

The gist is:

  1. Fetch all the modified rows from the gallery (product_gallery).
  2. Traverse, create, and collect the required UPDATE statements.
  3. Run all the UPDATE statements in one go (I am using this approach because I have found that this approach executes all the queries faster than using the Patch or UpdateIf functions for each modified row).

As you can see in the code, I am already escaping the single quotes for strings. But that's not enough to prevent SQL Injections. I read that we can use parameterization to prevent SQL Injections. However, I am not able to find the correct approach to implement the same in Power Apps. Can someone nudge me in the right direction here?

 
Thanks for your time!!!
Categories:
Using connectors
I have the same question (0)
  • lbendlin Profile Picture
    lbendlin 8,474 Super User 2025 Season 2 on at

    I assume you are aware of this whitepaper? Power Platform security FAQs - Power Platform | Microsoft Learn

  • slothfulwave612 Profile Picture
    slothfulwave612 4 on at

    // THIS GOT POSTED TWO TIMES - not sure how to delete

    Thanks!!! I was not aware about the whitepaper that you have linked. On doing some research I found out I can specify `formalParameters` while passing the SQL query to the `Execute a SQL Query (v2)` connector. But I have a question here, now whenever I have to run the same code as posted above; with each iteration I will now have to call the Power Automate flow to run each update query, correct? It will look something like this, right:

     

    ForAll(
 ModifiedRows As modified_rows,

 # flow will take the following inputs - query, and 4 parameter values
 ExecuteSQLQuery.Run(
 "
 UPDATE
 ProductTable
 SET
 product_name = @product_name_val,
 product_description = @product_description_val,
 product_objective = @product_objective_val
 WHERE
 id = _val
 ",
 modified_rows.gallery_product_name.Text,
 modified_rows.gallery_product_description.Text,
 modified_rows.gallery_product_objective.Text,
 modified_rows.id
 )
);

     


    Is this the way to go. Some caveats here will be (my hypothesis):

    1. The execution will be little bit slow because we need to make the connection to the database in each and every iteration with the new implementation. With the old one, I was concatenating all the update queries into one and then executing all in one go (the issue there was not using parameterized query) 
    2. Also, till now I was using only one Power Automate flow for executing SQL queries in all the submit buttons. But now do I have to prepare multiple Power Automate flows to work in multiple submit buttons running different SQL queries as the parameters are different in every SQL query?

    Please correct me if I am wrong anywhere. 

  • slothfulwave612 Profile Picture
    slothfulwave612 4 on at

    Thanks!!! I was not aware about the whitepaper that you have linked. On doing some research I found out I can specify `formalParameters` while passing the SQL query to the `Execute a SQL Query (v2)` connector. But I have a question here, now whenever I have to run the same code as posted above; with each iteration I will now have to call the Power Automate flow to run each update query, correct? It will look something like this, right:

     

     

    ForAll(
 ModifiedRows As modified_rows,

 # flow will take the following inputs - query, and 4 parameter values
 ExecuteSQLQuery.Run(
 "
 UPDATE
 ProductTable
 SET
 product_name = @product_name_val,
 product_description = @product_description_val,
 product_objective = @product_objective_val
 WHERE
 id = _val
 ",
 modified_rows.gallery_product_name.Text,
 modified_rows.gallery_product_description.Text,
 modified_rows.gallery_product_objective.Text,
 modified_rows.id
 )
);

     

     


    Is this the way to go. Some caveats here will be (my hypothesis):

    1. The execution will be little bit slow because we need to make the connection to the database in each and every iteration with the new implementation. With the old one, I was concatenating all the update queries into one and then executing all in one go (the issue there was not using parameterized query) 
    2. Also, till now I was using only one Power Automate flow for executing SQL queries in all the submit buttons. But now do I have to prepare multiple Power Automate flows to work in multiple submit buttons running different SQL queries as the parameters are different in every SQL query?

    Please correct me if I am wrong anywhere. 

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Automate

#1
Michael E. Gernaey Profile Picture

Michael E. Gernaey 523 Super User 2025 Season 2

#2
Tomac Profile Picture

Tomac 406 Moderator

#3
abm abm Profile Picture

abm abm 245 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Share your ideas and struggles with building Power Automate flows!
Survey: Power Automate mobile app
How to Ask for Help with Your Power Automate Workflow
Flows are not visible for users who sign in with their personal accounts
Start and wait for an approval action
Restore a deleted flow
List of actions cheat sheet for Power Automate Desktop
Question for everyone : How are you using Create Text GPT in AI Builder?
Welcome to the Power Automate forum!

Product updates

Microsoft Power Platform Community release plans