Is there an injection safe way to call via the axpata business connector
string salesId = someObject.Text;
IAxaptaRecord salesLine = ax.CreateRecord("SalesLine");
salesLine.ExecuteStmt("select * from %1 where %1.SalesId == '" + salesId + "'");
If someObject.Text is set to the following, i am then vulnerable to x++ code injection:
"SomeSalesOrder' || %1.SalesId == 'SomeOtherOrder"
Is there a way to parametrize the query, or would it be better to write all of the data access code directly in x++, and then call that from COM?
There is no way to be sure you have covered all cases ...
Using ExecuteStmt is most likely the wrong approach. You should write your select or whatever in an Axapta method (with parameters) then call that method.
you should do a replace on ' to \'
e.g.
string salesId = someObject.Text.Replace("'", "\\'");
Holz,
You can use parametrized SELECT statements with the forcePlaceholder keyword.
This is the default behavior in X++, but since this behavior can be overriden for complex joins, it's good idea to implicitly specify the forcePlaceholder hint.
As parametrized SELECTs impose some additional overhead, and don't allow optimiziation on the actual values of the parameters, you may want to consider using views, or axapta queries instead.
Regards,
Velislav Marinov
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贪生不怕死 的文章《Injection safe call to IAxaptaRecord.ExecuteStmt()》','https://www.manongdao.com/article-454308.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}