on 11-10-2016 8:07 PM - last edited on 02-03-2024 6:51 PM by postmig_api_4
In .NET, we have the Command object which allows to add command parameters. One of the benefits of this is that it removes the risk of SQL Injection.
I know that I can execute queries with the DIAPI via the DoQuery method but I am curious if there is a way to add parameters just like we do with the .NET object and avoid the need of concatenate strings.
Hi Ivan,
With this purpose no. There is an object called Command inside Recordset to allow you to run store procedures with parameters.
About concatenate strings in your query. I write my queries like this:
string sql = "SELECT * FROM OCRD WHERE CardCode = '{0}' AND CardType = '{1}'";
sql = string.Format(sql, cardCode, cardType);
Just to avoid to concatenate string a lot of strings.
Maybe someone else in this board have some approach to avoid risk of SQL injection inside B1.
Kind Regards,
Diego Lother
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Diego.
Thanks for your reply. I will try that syntax since it's easier to understand and maintain 🙂
Concerning the RecordSet Command property, I saw it but that would imply adding my queries as stored procedures in the SAP DataBase and, as I understand, we are not allowed to do that... but maybe I am mistaken?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hector,
I always heard that SAP doesn't allow any change on the database level. But I see a lot of addon of big companies that create store procedures on the database, then I believe (but I don't have certain) that creates store procedures are allowed.
P.S: The command object of RecordSet doesn't have the objective to work like Command object of .NET in to avoid sql injection.
Kind Regards,
Diego Lother
User | Count |
---|---|
100 | |
11 | |
10 | |
6 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.