Anytime the Framework calls a SQL query (such as ExecuteNonQuery, GetDataTable , ExecuteScalar) it should have an overload method that allows you to pass parameterized queries. This will help prevent SQL injection attacks and could also boost performance by allowing parameter sniffing.
We do have a set of methods in the data access layer that we use internally for generating parametrized queries (e.g. not exposed via the plugin API) to combat SQL injection. We could at some point in the future expose these methods in the public API.
Just to elaborate a little more on this, I'm thinking it should looks something like this:
C# Example
queryParams = new QueryParams(1);
queryParams.Add (@Name, "Eric Rocks");
_HostServerDatabase = Host.Page.DataSourceID;
using (DataService HostServerCompare = Host.GetDataServiceEx(_HostServerDatabase))
{
HostServerCompare.TryExecuteScalar(string.Format("SELECT DestinationID FROM dbo.Package WHERE PackID = @Name ", queryParams));
}
Attachments Open full size