Saturday, July 15, 2006

ATTN!!! SQL Injection possibility when using literals in queries

I've found a huge security hole in Ax 3.0 SP 4 + MS SQL Server (i don't know about other versions, but i think it is possible with other versions too)

If you have the following database connection options switched on, users can execute any SQL Server query using user defined filter.

So switch off:

  • Literals in join queries from forms and reports

  • Literals in complex joins from X++



Dont't use forceLiteras in production environment.

It can affect performance but will protect your data

No comments:

Post a Comment