Please Share your Product Ideas with us!

All ideas are welcome. Just because the Idea doesn't make it into the product immediately does not make it a bad idea.

Framework Plugin Method ExecuteNonQuery should add overload method to allow for parameterization

Anytime the Framework calls a SQL query (such as ExecuteNonQuery, GetDataTable , ExecuteScalar) it should have an overload method that allows you to pass parameterized queries.  This will help prevent SQL injection attacks and could also boost performance by allowing parameter sniffing. 

  • Eric Weldon
  • Feb 26 2018
  • Future consideration
Stewardship Tier (SST) Framework / Framework
  • May 23, 2018

    Admin response

     We do have a set of methods in the data access layer that we use internally for generating parametrized queries (e.g. not exposed via the plugin API) to combat SQL injection. We could at some point in the future expose these methods in the public API.

  • Attach files
  • Eric Weldon commented
    February 27, 2018 14:47

    Just to elaborate a little more on this, I'm thinking it should looks something like this:

     

    C# Example

    queryParams = new QueryParams(1);

    queryParams.Add (@Name, "Eric Rocks");

    _HostServerDatabase = Host.Page.DataSourceID;
    using (DataService HostServerCompare = Host.GetDataServiceEx(_HostServerDatabase))
    {
    HostServerCompare.TryExecuteScalar(string.Format("SELECT DestinationID FROM dbo.Package WHERE PackID = @Name ", queryParams));
    }

    ×

    Attachments Open full size

Related ideas