3 years, 11 months ago
#27426
::
I have testet the new WHERE-Statement and there is one last security concern for me:
If I’m going to prepare a WHERE-Parameter in an BO, how is this input sanitized?
For example:
DELETE FROM orders
WHERRE-Statement = “customer_name = ‘” + input.customerName + “‘”
input.customerName = “maleware’ AND ‘hack’=’hack”
input.customerName has to be sanitized or all orders will be deleted!
Is there a built in utility function in a BO to fix this? Or do I something completly wrong?
WHERRE-Statement = “customer_name = ‘” + sanitize(input.customerName) + “‘”