All geek questions in one place

Safe injection call in IAxaptaRecord.ExecuteStmt ()

Is there a safe injection method for calling through the axpata business connector p>

string salesId = someObject.Text;

IAxaptaRecord salesLine = ax.CreateRecord("SalesLine");
salesLine.ExecuteStmt("select * from %1 where %1.SalesId == '" + salesId + "'");

If someObject.Text is set to the following, then I am vulnerable to input x ++ code:

"SomeSalesOrder' || %1.SalesId == 'SomeOtherOrder"

Is there a way to parameterize the query, or would it be better to write all the data access code directly in x ++ and then call it from COM?

+3
source share
3 answers

It’s impossible to make sure that you have covered all the cases ...

Using ExecuteStmt is most likely the wrong approach. You must write your choice or something else in the Axapta method (with parameters), then call this method.

+2
source

you need to replace with 'to \' for example.

string salesId = someObject.Text.Replace("'", "\\'");
-2

Holz,

You can use parameterized SELECT statements with the forcePlaceholder keyword. This is the default behavior in X ++, but since this behavior can be overridden for complex joins, it would be nice to implicitly give a hint to forcePlaceholder.

As a parameterized SELECT, they impose some additional overhead and do not allow you to optimize the actual values ​​of the parameters; you may want to use axapta views or queries instead.

Sincerely, Velislav Marinov

-2
source

Source: https://habr.com/ru/post/1708533/

More articles:


All Articles