Skip to content
KSEF-BUS-191 SECURITY Warning KSeF Guard Only

SQL injection pattern in invoice text fields

Wzorzec SQL injection w polach tekstowych faktury

Problem

An invoice text field contains SQL-like patterns (e.g. SELECT, DROP TABLE). This may indicate an attack attempt or an accidental paste of code.

How to Fix

Check item descriptions — if the text is intentional, rephrase it so that it does not resemble database commands.

Source Reference

KSeF Guard security heuristic (SQL injection prevention)

View source

Source Quote

“Invoice text fields must not contain SQL injection patterns (DROP TABLE, UNION SELECT, etc.).”
Description SHA-256: cb74b646c927…

Justification

FORMAT

Legal Basis Chain

1

KSeF Guard — SQL injection prevention

KSeF Guard — prewencja SQL injection

“[KSeF Guard heuristic] Invoice text fields in the FA(3) schema are of xsd:string type and should contain plain text only. SQL injection patterns are not explicitly prohibited by the VAT Act but represent a classical attack vector against systems consuming invoice data. Guard detects potentially dangerous patterns before they reach downstream layers (e.g. reports, dashboards, database export).”
KSeF Guard security heuristic (SQL injection prevention)