Possible SQL injection

Kshitij · October 25, 2024, 11:57am

Hello Epicor Community,

I’m running into an issue while trying to execute a BAQ query, and I could use some assistance to troubleshoot and resolve it.
I’ve created a BAQ to retrieve order details, including a concatenated list of part numbers for each order. However, when I attempt to run or save the query, I encounter an error that says:
Possible SQL injection.
Review the server event logs for details.

My query:
select
[OrderHed].[Company] as [OrderHed_Company],
[OrderHed].[OrderNum] as [OrderHed_OrderNum],
[OrderHed].[OrderDate] as [OrderHed_OrderDate],
[OrderHed].[PONum] as [OrderHed_PONum],
[OrderHed].[VoidOrder] as [OrderHed_VoidOrder],
[OrderHed].[OpenOrder] as [OrderHed_OpenOrder],
[OrderHed].[OrderHeld] as [OrderHed_OrderHeld],
[Customer].[CustID] as [Customer_CustID],
[Customer].[Name] as [Customer_Name],
[Customer].[CreditHold] as [Customer_CreditHold],
[SubQuery2].[Calculated_PartNum] as [Calculated_PartNum]
from Erp.OrderHed as OrderHed
inner join Erp.Customer as Customer on
OrderHed.Company = Customer.Company
and OrderHed.BTCustNum = Customer.CustNum
inner join (select
[OrderDtl1].[OrderNum] as [OrderDtl1_OrderNum],
(CASE
WHEN COUNT(PartNum) = 1
THEN MAX(PartNum)
WHEN COUNT(PartNum) = 2
THEN (
SELECT STUFF(
(SELECT ’ | ’ + PartNum
FROM OrderDtl AS OD
WHERE OD.OrderNum = OrderDtl.OrderNum
FOR XML PATH(‘’)),
1, 3, ‘’
)
)
ELSE (
SELECT STUFF(
(SELECT ’ | ’ + PartNum
FROM OrderDtl AS OD
WHERE OD.OrderNum = OrderDtl.OrderNum
FOR XML PATH(‘’)),
1, 3, ‘’
) + ’ | —’
)
END) as [Calculated_PartNum]
from Erp.OrderDtl as OrderDtl1
group by [OrderDtl1].[OrderNum]) as SubQuery2 on
OrderHed.OrderNum = SubQuery2.OrderDtl1_OrderNum
where (OrderHed.OrderNum = 30265)

Has anyone encountered a similar issue with BAQ errors related to SQL injection, especially when using string concatenation? Any workarounds or best practices would be greatly appreciated. I am currently on Epicor 10.2.

Thanks in advance for any help or insights you can provide!

tsmith · October 25, 2024, 12:03pm

What version of SQL Server are you on? If possible, you should start using the String_agg() function available starting from SQL Server 2017.

FOR XML triggers Epicor’s SQL Injection protection logic and is a workaround that should be replaced with String_agg when possible.

Mark_Wonsil · October 25, 2024, 12:03pm

SQL Version and compatibility level?

Kshitij · October 25, 2024, 12:22pm

i am not sure but currently we are working on sql 2019

Mark_Wonsil · October 25, 2024, 12:25pm

As long as the compatibility level is 14, use @tsmith’s advice and move to STRING_AGG instead of the FOR XML syntax.

View or change the compatibility level of a database - SQL Server | Microsoft Learn

tsmith · October 25, 2024, 12:30pm

If you don’t have access to view the compatibility level of the server, you can create a simple BAQ that uses string_agg in a calculated field. If the BAQ runs then you are on Compatibility 14+, if not you will receive an error.

Kshitij · October 25, 2024, 12:37pm

still gives error

utaylor · October 25, 2024, 12:39pm

Y’all, I’m pretty sure you can’t write new SQL queries in calculated fields, can you???

utaylor · October 25, 2024, 12:42pm

@Kshitij is trying to write a whole different query in the calculated field.

@Kshitij, you need to use subqueries and CTE functionality within the BAQ framework to do what you’re doing, not write it out as SQL.

hkeric.wci · October 25, 2024, 12:47pm

You have to make a Sub-Query, then supply in the Sub-Query SubQuery Criteria, then instead of using it in your Main Query as a JOIN, you can use it in a Calculated field with {SubQueryNameHere}

Epicor will then insert that Sub-Query as a Sub-Select into that field wherever {SubQueryNameHere} is used, you can even use it in Expressions on JOINs etc…

utaylor · October 25, 2024, 12:47pm

Haso, thank you as always for doing the hard work and documenting it for the forum.

utaylor · October 25, 2024, 12:48pm

@Kshitij do you have access to any of the Epicor Documentation? I think they go through a CTE BAQ or subqueries if I am not mistaken.

You can search it in your kinetic help

amitn · October 25, 2024, 12:52pm

In Epicor, SQL injection checks can sometimes be triggered by certain patterns in BAQ subqueries, particularly when using string manipulation functions like STUFF or complex conditional logic.

Try updating the inner subquery by removing FOR XML PATH or using a simpler aggregation if feasible:

Kshitij · October 25, 2024, 12:53pm

ooh! my bad

I am trying to achieve some thing like this:

where i can concatenate OrderNums together in one column.
below is the query:
select
[Customer].[CustID] as [Customer_CustID],
[Customer].[Name] as [Customer_Name],
(REPLACE(REPLACE(((select
(CAST(OrderHed.OrderNum AS VARCHAR) + ‘,’) as [Calculated_OrderNum]
from Erp.OrderHed as OrderHed
where (OrderHed.CustNum = Customer.CustNum FOR XML PATH(‘’)))) , ‘</Calculated_OrderNum>’,‘’),‘<Calculated_OrderNum>’,‘’)) as [Calculated_Orders]
from Erp.Customer as Customer

it is also giving bad sql error. but there is no syntax error.

utaylor · October 25, 2024, 12:56pm

so if you have that BAQ working, then replace the STUFF function you’re using with string agg in that BAQ

utaylor · October 25, 2024, 12:58pm

Make this a string_agg function not FOR XML.

You can ask an LLM (chatGPT, whatever you want) to take that and make it a string_agg function instead.

hkeric.wci · October 25, 2024, 1:01pm

Example

utaylor · October 25, 2024, 1:02pm

Thanks Haso.