10.2.300.2 BAQ SQL Injection

Hello,

I am aware of SQL hardening enhancements in 10.2.300, however I have a calculated column that is just:

sum( (PartWhse.OnHandQty-PartWhse.AllocatedQty-PartWhse.ReservedQty-PartWhse.PickingQty-PartWhse.PickedQty) )

When checking the syntax I get an error “Possible SQL injection”

Is there a workaround for this? Thanks! :slight_smile:

1 Like

Why do you use double ((?

1 Like

Typo , even singles do not work

why do you think this string is exactly the problem? maybe something else there? like comments /**/ ?

I deleted all calculated field expressions and then tested each expression one by one. This is the only expression that gives this error.

Did you inspect app server log for detailed SQL error?

2 Likes

This is a shot in the dark, but I typically use spaces between fields and operators. I avoid parentheses unless required (order of operations should work).
In your case I would put spaces between the fields and the minus sign.
You may also want to test it without the SUM (just to clarify the issue further).

3 Likes

@Dmitry_Kashulin the error in the Epicor windows event log is:
“Possible SQL injection: ‘----) )’.
sum( (----) )”

@Jason_Woods I’ll try that

@Jason_Woods THE SPACES FIXED THE ISSUE

Thanks! :slight_smile:

We aware of this bug. It is fixed in 10.2.300.2.
Sorry for inconvenience.

2 Likes