Skip to Content

Is there a way to add parameters to a RecordSet.DoQuery() method?

Nov 10, 2016 at 08:07 PM


avatar image

In .NET, we have the Command object which allows to add command parameters. One of the benefits of this is that it removes the risk of SQL Injection.

I know that I can execute queries with the DIAPI via the DoQuery method but I am curious if there is a way to add parameters just like we do with the .NET object and avoid the need of concatenate strings.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

DIEGO LOTHER Nov 10, 2016 at 08:35 PM

Hi Ivan,

With this purpose no. There is an object called Command inside Recordset to allow you to run store procedures with parameters.

About concatenate strings in your query. I write my queries like this:

string sql = "SELECT * FROM OCRD WHERE CardCode = '{0}' AND CardType = '{1}'";
sql = string.Format(sql, cardCode, cardType);

Just to avoid to concatenate string a lot of strings.

Maybe someone else in this board have some approach to avoid risk of SQL injection inside B1.

Kind Regards,

Diego Lother

10 |10000 characters needed characters left characters exceeded
Hector Ivan Corea Sanabria Nov 10, 2016 at 08:42 PM

Hi Diego.

Thanks for your reply. I will try that syntax since it's easier to understand and maintain :)

Concerning the RecordSet Command property, I saw it but that would imply adding my queries as stored procedures in the SAP DataBase and, as I understand, we are not allowed to do that... but maybe I am mistaken?

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Hector,

I always heard that SAP doesn't allow any change on the database level. But I see a lot of addon of big companies that create store procedures on the database, then I believe (but I don't have certain) that creates store procedures are allowed.

P.S: The command object of RecordSet doesn't have the objective to work like Command object of .NET in to avoid sql injection.

Kind Regards,

Diego Lother