Skip to Content
0

Is there a way to add parameters to a RecordSet.DoQuery() method?

Nov 10, 2016 at 08:07 PM

167

avatar image

In .NET, we have the Command object which allows to add command parameters. One of the benefits of this is that it removes the risk of SQL Injection.

I know that I can execute queries with the DIAPI via the DoQuery method but I am curious if there is a way to add parameters just like we do with the .NET object and avoid the need of concatenate strings.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

DIEGO LOTHER Nov 10, 2016 at 08:35 PM
1

Hi Ivan,

With this purpose no. There is an object called Command inside Recordset to allow you to run store procedures with parameters.

About concatenate strings in your query. I write my queries like this:

string sql = "SELECT * FROM OCRD WHERE CardCode = '{0}' AND CardType = '{1}'";
sql = string.Format(sql, cardCode, cardType);

Just to avoid to concatenate string a lot of strings.

Maybe someone else in this board have some approach to avoid risk of SQL injection inside B1.

Kind Regards,

Diego Lother

Share
10 |10000 characters needed characters left characters exceeded
Hector Ivan Corea Sanabria Nov 10, 2016 at 08:42 PM
0

Hi Diego.

Thanks for your reply. I will try that syntax since it's easier to understand and maintain :)

Concerning the RecordSet Command property, I saw it but that would imply adding my queries as stored procedures in the SAP DataBase and, as I understand, we are not allowed to do that... but maybe I am mistaken?

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Hector,

I always heard that SAP doesn't allow any change on the database level. But I see a lot of addon of big companies that create store procedures on the database, then I believe (but I don't have certain) that creates store procedures are allowed.

P.S: The command object of RecordSet doesn't have the objective to work like Command object of .NET in to avoid sql injection.

Kind Regards,

Diego Lother

1