Axapta.ExecuteStmt - Is it safe? [duplicate]

我与影子孤独终老i 提交于 2019-12-11 16:24:16

问题


I have some code, which uses the ExecuteStmt method on the Axapta Object when using the Business Connector, like so:

AxaptaRecord record = (AxaptaRecord)ax.CreateAxaptaRecord("SalesTable");
record.ExecuteStmt("select * from %1 where %1.SalesId == '" + id + "'");
while (record.Found)
{
     // do stuff
}

This works fine, but it's going to be on a public facing website, so is this a good way of accessing the data and is it secure from SQL Injection? Because I've read that this statement will use the "forcePlaceholders" keyword which will parameterise the query as it doesn't contain a join?


回答1:


i would say no. this still reaks of sql injection.



来源:https://stackoverflow.com/questions/9788446/axapta-executestmt-is-it-safe

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!