Grafana iframe with variables is causing SQL injection

Hi Team,
We are using Grafana 9.1 version in Ubuntu OS.

We have shared dashboards to web browser by embed iframe sharing method. Web browser can pass variables through URL and because of this, when we do pentest SQL injection (High Level) exists. Is there a solution to prevent this issue? Thanks in advance.

Welcome

While grafana or the sql plugin should prevent this what are you doing on your side to prevent this

How is that a url call makes a sql call etc?

Can you provide nore details?

Hi,
We have created variables of interval and company name in a dashboard and prepared a panel which will takes these variable values to query Mysql on Grafana plateform.
On the client plateform, user is able to select the company, the time spane and the time period on html page. Html simply makes the request with the variable values selected by the user. An example of an URL is something like below.
https://xxxxxxx:3000/d-solo/wSxUWb74z/new-dashboard?orgId=1&var-dataUnit=5m&var-companyName=1&from=1662368400000&to=1662382799000&panelId=2

Many thanks!

I am not seeing where the sql injection can happen?