Is there a way to add parameters to a RecordSet.Do...

Former Member · ‎11-10-2016

In .NET, we have the Command object which allows to add command parameters. One of the benefits of this is that it removes the risk of SQL Injection.

I know that I can execute queries with the DIAPI via the DoQuery method but I am curious if there is a way to add parameters just like we do with the .NET object and avoid the need of concatenate strings.

former_member185682 · ‎11-10-2016

Hi Ivan,

With this purpose no. There is an object called Command inside Recordset to allow you to run store procedures with parameters.

About concatenate strings in your query. I write my queries like this:

string sql = "SELECT * FROM OCRD WHERE CardCode = '{0}' AND CardType = '{1}'";
sql = string.Format(sql, cardCode, cardType);

Just to avoid to concatenate string a lot of strings.

Maybe someone else in this board have some approach to avoid risk of SQL injection inside B1.

Kind Regards,

Diego Lother

Former Member · ‎11-10-2016

Hi Diego.

Thanks for your reply. I will try that syntax since it's easier to understand and maintain 🙂

Concerning the RecordSet Command property, I saw it but that would imply adding my queries as stored procedures in the SAP DataBase and, as I understand, we are not allowed to do that... but maybe I am mistaken?

Is there a way to add parameters to a RecordSet.DoQuery() method?

Accepted Solutions (0)

Answers (2)

Answers (2)

Re: Fleet Management SAP PM - two fuel cards

Re: Create purchase requisition from Sales Order

Re: Is there a way to get my PM orders with a basi...

Re: Meas points not showing up in IW42 even when l...

Re: Scheduling parameters usage & what is forward ...