问题
I have some code, which uses the ExecuteStmt method on the Axapta Object when using the Business Connector, like so:
AxaptaRecord record = (AxaptaRecord)ax.CreateAxaptaRecord("SalesTable");
record.ExecuteStmt("select * from %1 where %1.SalesId == '" + id + "'");
while (record.Found)
{
// do stuff
}
This works fine, but it's going to be on a public facing website, so is this a good way of accessing the data and is it secure from SQL Injection? Because I've read that this statement will use the "forcePlaceholders" keyword which will parameterise the query as it doesn't contain a join?
回答1:
i would say no. this still reaks of sql injection.
来源:https://stackoverflow.com/questions/9788446/axapta-executestmt-is-it-safe