1

How do I escape a string coming from the user in BusinessOne? I have seen some examples (in the official samples!) that seem sensible to SQL injection:

SAPbobsCOM.Recordset RecSet = ( ( SAPbobsCOM.Recordset )( oCompany.GetBusinessObject( SAPbobsCOM.BoObjectTypes.BoRecordset ) ) ); 
string QryStr = "update [@VIDS] set U_RENTED = 'Y', U_CARDCODE = '" + CardStr + "' where Code = '" + MovieStr + "'"; 
            RecSet.DoQuery( QryStr );
RecSet.DoQuery( QryStr );

Is there a way to avoid SQL injection with simple SQL queries (without stored procedures)?

4

1 回答 1

0

不幸的是,DI-API 不提供准备好的语句,因此您需要手动保护您的输入。如何做到这一点的研究包含在如何在 MSSQL 服务器中转义值问题中:

在阅读了新的 SQL 截断攻击和如何避免它们之后,使用(并且每次出现 加倍)和使用值(再次加倍)来转义标识符似乎就足够了。尽管如此,对关注正确转义 MSSQL 的库的提示还是不错的。[]''

我正在使用以下 Java 代码来转义标识符和值(移植到不同的语言应该很简单):

引用标识符

public static String identifier(final CharSequence identifier) {
    final int length = identifier.length();
    StringBuilder sb = new StringBuilder(2 + length * 2);

    sb.append('[');

    for (int i = 0; i < length; ++i) {
        char c = identifier.charAt(i);

        if (']' == c) {
            sb.append(']');
        }
        sb.append(c);
    }
    sb.append(']');

    return sb.toString();
}

引用值

public static String value(final CharSequence value) {
    final int length = value.length();
    StringBuilder sb = new StringBuilder(2 + length * 2);

    sb.append('\'');

    for (int i = 0; i < length; ++i) {
        char c = value.charAt(i);

        if ('\'' == c) {
            sb.append('\'');
        }
        sb.append(c);
    }
    sb.append('\'');

    return sb.toString();
}
于 2016-06-10T18:55:33.823 回答