Velocity and XWQL: Dynamically query array contents safe from SQL injections?


im currently creating a small velocity macro that displays the next X calendar events. I want to add an whitelist type selection to the Macro from which spaces the calendar events shall be shown.

Currently I have an parameter (without defined type) where multiple spaces can be put into, seperated by an semicolon.
This gets splitted into an array and foreach $calendarSpace in the $array the $query get longer by adding or kalender.endDate > :date and like ${simpleQuotes}${calendarSpace}%${simpleQuotes}

This all then gets executed with $services.query.xwql($query).bindValue('date', $datetool.toDate($datetool)).setLimit($anzahl).execute()

The problem with this is obvoisly, that it is highly vulnerable to sql injections through putting bad things into the macro parameters. Simply deleting or escaping characters from the input is not viewed as secure as far as im aware of (im not an SQL expert).

As far as I understand, using .bindValue(…) to the query like I already use for the current date time is a safe way, as anything in it is handled as an value no matter what characters it contains and this prevents SQL injections.
Is this understanding correct?

And does somebody have an idea, how I can make such an query dynamic and add additional binds with the array values dependent of the array size?

I thought of using the array and .bindValue(…) with a list with in (:myList) like in Query API ( but according to Combining “LIKE” and “IN” for SQL Server - Stack Overflow LIKE and IN can’t be combined. :frowning:


See “binding a like” at

No idea about this, sorry.

1 Like

Thank you for your help and confirmation!
I now made multiple #elseif (array.size == …) with their own querys with the fitting amount of bindValue for each array size, to make things safe from SQL injection as an intermediate solution.

But I really wonder how other XWiki functions or extensions do the same trick of querying values in an safe way when the amount of values is not static?

Or am I approaching things completely from an strange / wrong direction?