This question already has an answer here:
- Injection safe call to IAxaptaRecord.ExecuteStmt() 3 answers
I have some code, which uses the ExecuteStmt method on the Axapta Object when using the Business Connector, like so:
AxaptaRecord record = (AxaptaRecord)ax.CreateAxaptaRecord("SalesTable");
record.ExecuteStmt("select * from %1 where %1.SalesId == '" + id + "'");
while (record.Found)
{
// do stuff
}
This works fine, but it's going to be on a public facing website, so is this a good way of accessing the data and is it secure from SQL Injection? Because I've read that this statement will use the "forcePlaceholders" keyword which will parameterise the query as it doesn't contain a join?
