Forum

3 years, 11 months ago #27426
Up
0
Down
::

I have testet the new WHERE-Statement and there is one last security concern for me:

If I’m going to prepare a WHERE-Parameter  in an BO, how is this input sanitized?

For example:

DELETE FROM orders

WHERRE-Statement = “customer_name = ‘” + input.customerName + “‘”

input.customerName = “maleware’ AND ‘hack’=’hack”

input.customerName has to be sanitized or all orders will be deleted!

Is there a built in utility function in a BO to fix this? Or do I something completly wrong?

WHERRE-Statement = “customer_name = ‘” + sanitize(input.customerName) + “‘”