Microsoft Dynamics Ax developer's blog

Saturday, July 15, 2006

ATTN!!! SQL Injection possibility when using literals in queries

I've found a huge security hole in Ax 3.0 SP 4 + MS SQL Server (i don't know about other versions, but i think it is possible with other versions too)

If you have the following database connection options switched on, users can execute any SQL Server query using user defined filter.

So switch off:

  • Literals in join queries from forms and reports

  • Literals in complex joins from X++

Dont't use forceLiteras in production environment.

It can affect performance but will protect your data

Thursday, July 06, 2006

On toolbars

Palle Algemark has recently posted about toolbars imitation in Ax:

Custom toolbars in AX,
Activating a custom toolbar

I have something to add:
  • if you want to do something with selected AOT items - use LastAOTSelection class (it's an iterator for last selected AOT items)
  • if you want to do something with active form: sit on timer, get last active form from info class (method setLastActivatedForm),remember it it's not your toolbar form and use remebered value on button clicks