Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Teams
, (opens new window)
One Appfire Support Knowledge Base
Results will update as you type.
  • How to resolve an Authentication failed error - 10.x
  • How to avoid format errors when using output=wiki
  • How to resolve broken database connections - 10.x
  • How to resolve a Class not found error - 10.x
  • How to combine queries from multiple databases
  • How to update database columns and display them in a page using Run macro with SQL macro
  • Configure application server based datasources - 10.x
  • Configure data source profiles 10.x
  • How to resolve an Invalid syntax server.xml error
  • How to resolve a Could not create connection to database server error - 10.x
  • Create a chart with SQL - 10.x
  • How to resolve a Data source name not found error - 10.x
  • How to resolve a Database server not found error - 10.x
  • Datasource problem determination - 10.x
  • Example profile configurations
  • Error while retrieving the data using SQL for Confluence
  • How to resolve a Generic SQL exception - 10.x
  • How to find pages that uses a specific data source profile in different SQL macros
  • How to get favorites list of Confluence users using Sql for Confluence
  • How to configure data source profiles for various databases with examples
  • How to do data source problem determination
  • How to handle the "No suitable driver found" error when connecting to an MS-SQL database
  • How to hyperlink the SQL macro results
  • How to implement role based security for SQL queries - 8.x
  • How to improve the display of SQL source - 8.x
  • How to show all table rows using a nested query with SQL for Confluence
  • How to implement role based security for SQL queries - 10.x
  • How to improve the display of SQL source - 10.x
  • How to index SQL data
  • How to use SQL data with inline macros
  • How to resolve a Listener refused connection error - 10.x
  • How to log SQL activity
  • Pro tips
  • How to publish SQL queries on Atlassian Cloud
  • How to run SQL queries securely without page edit restrictions
  • Sample Queries - Confluence Labels
  • How to resolve the Unable to load database driver error
  • How to use Confluence metadata in SQL queries
  • How to use HTML in queries
  • How to use SQL case statement to improve the visual appeal
  • How to use SQL macros securely
  • Using the SQL macro with Markup - 9.x and earlier
  • How to resolve an Oracle validation query throwing exception - 10.x
  • UI caching problem with SQL for Confluence
  • How to create a temporary MySQL table using the SQL for Confluence (Pro edition) app
  • Using SQL File with Markup - 9.x and earlier
  • How to use MySQL functions in SQL macro
  • How to get usage information about the SQL for Confluence app
  • How to create a database profile with read-only access using the SQL for Confluence app
  • How to set SSL connection for SQL server with SQL for Confluence (Pro Edition)
  • Connect SQL macro to MS SQL database using Windows authentication
  • Unable to see table views in SQL macro
  • How to use the Expand array option in SQL for Confluence to view values with line break
  • Use SQL Macro with Markup - 10.x
  • Use SQL File Macro with Markup - 10.x
  • Create a Bar chart using SQL macro
  • Create a Pie chart using the SQL macro
  • Create an xyArea chart using the SQL macro
  • Create an xyLine chart using the SQL macro
  • How to resolve a network error due to invalid database port - 10.x
  • How to resolve isValid exceptions - 10.x
  • How to resolve a Cannot load JDBC driver error - 10.x
  • How to resolve a Permission denied error - 10.x
  • How to resolve a Validation query exception - 10.x
  • How to implement role based security for Postgre SQL database - 10.x
  • How to limit active database connections
  • How to use SQL macro in a Confluence user macro
  • How to use macros parameter within nested SQL queries
  • How to resolve the Unable to connect to database error
  • How to create a chart with SQL - 8.x
  • How to implement role based security for Postgre SQL database - 8.x
  • User Macro with sql-query failed after Confluence upgrade to 7.7 version
  • SSL connection to Oracle DB setup issues in SQL for Confluence
  • Unable to load database driver: com.xxx.jdbc.Driver
  • How to Create a Chart From SQL Data
  • How to Automatically Create a Formatted Table From SQL Data
    You‘re viewing this with anonymous access, so some content might be blocked.
    /
    How to use SQL macros securely
    Updated Feb 28, 2020

    How to use SQL macros securely

    Feb 28, 2020

    Description

    When using SQL for Confluence on sites with untrusted users, you may need to employ security measures to control use. This describes some of the techniques for doing this. In some cases, you may want to employ multiple techniques together depending on factors like database being accessed. For instance, macro security can be applied no matter what other technique you want to use. 

    Technique

    Description

    Benefits

    Technique

    Description

    Benefits

    Macro Security for Confluence

    Content using SQL macros can only be created or updated by trusted users while still allowing other users the ability to view the content. This is implemented by the Confluence administrator installing Macro Security for Confluence using UPM and configuring access.

    • Enables trusted users to provide important content.

    • Controlled at the user, group, and database level.

    Database permissions

    Database permissions for the user configured for the SQL data source can be restricted, for instance, view only authority. This is recommended when only a subset of access is needed, especially for browse only.

    • Controls what database operations are allowed.

    • Ease concerns for database or security administrator.

    Allow only SQL Query macro
    (See 10.x or 8.x versions)

    Some databases (like PostgreSQL) enforce a JDBC remote access mode for read-only. The SQL Query macro uses this support. This can be implemented by having the Confluence administrator disable the other SQL macros in the UPM.

    Restrict access to query only.

    Allow only SQL File macro
    (See 10.x or 8.x versions)

    The SQL File macro only runs Confluence administrator controlled SQL. This can be implemented by having the Confluence administrator disable the other SQL macros in the UPM. 

    See Run SQL queries securely, without page edit restrictions for 10.x version or How to securely run SQL queries without page edit restrictions for 8.x version.

    Only pre-defined SQL can be run.

    Role based security
    (See 10.x or 8.x versions)

    Use database role security to control what data is available.

    Data is shown based on user ID and role.

    Use parameter markers

    Prevent SQL injection attacks by using parameter markers. This is only necessary when the SQL statements are partially constructed from user input - for example, using the Run Self-Service Reports for Confluence. See Wikipedia: SQL injection. Parameter markers are supported by SQL for Confluence.

    Prevent SQL injection attacks when users are allowed to provide statement construction input.

    Confluence database access

    If Confluence database access is defined via an application server based data source, Confluence data can be accessed by the SQL macros using that data source unless other security techniques prevent access. This can be powerful in many circumstances but should be access controlled just like other databases. Direct access to a database circumvents application level security, so should always be considered. Even if you want to provide some level of access to the Confluence database, it is strongly recommended to create a separate data source for this access. Either, duplicate the application server data source definition that Confluence uses and provide a different name (preferred) or create a profile defined data source. To prevent access to the Confluence defined data source, either use Macro Security for Confluence to disallow access or define a profile defined data source with the same name as the application data source and override the values or redirect to some other data source.

    Click any of the following links to read more about data source profiles:

    • 10.x version

    • 8.x version

    {"serverDuration": 14, "requestCorrelationId": "c6b845c5aab6429fabb939756150dd66"}