对 IAxaptaRecord.ExecuteStmt() 的注入安全调用
是否有通过 axpata 业务连接器进行调用的注入安全方法
string salesId = someObject.Text;
IAxaptaRecord salesLine = ax.CreateRecord("SalesLine");
salesLine.ExecuteStmt("select * from %1 where %1.SalesId == '" + salesId + "'");
如果 someObject.Text 设置为以下内容,那么我很容易受到 x++ 代码注入的攻击:
"SomeSalesOrder' || %1.SalesId == 'SomeOtherOrder"
是否有一种方法可以参数化查询,或者最好编写所有直接在x++中获取数据访问代码,然后从COM中调用?
Is there an injection safe way to call via the axpata business connector
string salesId = someObject.Text;
IAxaptaRecord salesLine = ax.CreateRecord("SalesLine");
salesLine.ExecuteStmt("select * from %1 where %1.SalesId == '" + salesId + "'");
If someObject.Text is set to the following, i am then vulnerable to x++ code injection:
"SomeSalesOrder' || %1.SalesId == 'SomeOtherOrder"
Is there a way to parametrize the query, or would it be better to write all of the data access code directly in x++, and then call that from COM?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
无法确保您已经涵盖了所有情况...
使用 ExecuteStmt 很可能是错误的方法。 您应该在 Axapta 方法(带有参数)中编写您的选择或其他内容,然后调用该方法。
There is no way to be sure you have covered all cases ...
Using ExecuteStmt is most likely the wrong approach. You should write your select or whatever in an Axapta method (with parameters) then call that method.
你应该将 ' 替换为 \'
例如
you should do a replace on ' to \'
e.g.