Skip to Content

Is there a way to add parameters to a RecordSet.DoQuery() method?

In .NET, we have the Command object which allows to add command parameters. One of the benefits of this is that it removes the risk of SQL Injection.

I know that I can execute queries with the DIAPI via the DoQuery method but I am curious if there is a way to add parameters just like we do with the .NET object and avoid the need of concatenate strings.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Nov 10, 2016 at 08:35 PM

    Hi Ivan,

    With this purpose no. There is an object called Command inside Recordset to allow you to run store procedures with parameters.

    About concatenate strings in your query. I write my queries like this:

    string sql = "SELECT * FROM OCRD WHERE CardCode = '{0}' AND CardType = '{1}'";
    sql = string.Format(sql, cardCode, cardType);
    

    Just to avoid to concatenate string a lot of strings.

    Maybe someone else in this board have some approach to avoid risk of SQL injection inside B1.

    Kind Regards,

    Diego Lother

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 10, 2016 at 08:42 PM

    Hi Diego.

    Thanks for your reply. I will try that syntax since it's easier to understand and maintain :)

    Concerning the RecordSet Command property, I saw it but that would imply adding my queries as stored procedures in the SAP DataBase and, as I understand, we are not allowed to do that... but maybe I am mistaken?

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Hector,

      I always heard that SAP doesn't allow any change on the database level. But I see a lot of addon of big companies that create store procedures on the database, then I believe (but I don't have certain) that creates store procedures are allowed.

      P.S: The command object of RecordSet doesn't have the objective to work like Command object of .NET in to avoid sql injection.

      Kind Regards,

      Diego Lother