VAR_SECURITY_LEVEL

Systemwide variable that determines the security level or the replacement of variables in dynamic Variable objects.

Description: Determines whether variables can be used in VARA objects, and which ones.

This affects the replacement procedure of variables that are used within SQL statements (SQL and SQLI type variables) and OS commands (Backend type variables).

The variables are replaced at the following security levels:

Security level 0
- None
Security level 1
- Predefined variables (User cannot directly change the value)
Security level 2
- Predefined variables (User cannot directly change the value)
- Predefined variables (User can change the value)
Security level 3
- Predefined variables (User cannot directly change the value)
- Predefined variables (User can change the value)
- Placeholder for VARA objects
- PromptSet variables
For more information about the security levels of all predefined variables, see Variables for System and Object Values.

Important! In security level 3, you can execute all SQL statements and OS commands that are included in the value to be inserted in the specified Variable object.

Example

A script is used to change the content of the variable VARA2 whose value will be inserted in the SQL statement:

:PUT_VAR VARA2, '*', 'Value; DELETE * FROM x;'

An additional SQL command has been inserted in the SQL variable VARA1 (value replacement) because the content of the Variable object VARA2 has been changed. This was possible although VARA1 has not directly been changed (for example by a user without the corresponding rights) and can also lead to unintended database accesses (in this case: the deletion of data).

The setting VAR_SECURITY_LEVEL has no effect if you access Variable objects of client 0. In this case, they can always be used.
Allowed values: 0, 1, 2, and 3
Default value: 0
Restart required: No