BuildSafe encapsulation

As documented, if we need to provide IN clauses in Advanced Queries, we must use BuildSafe and if we do so and use BuildSafe output as a Query input, we have no warnings on SQL Injection.

In my usecase I have several IN clauses so i've encapsulated multiple BuildSafe calls inside a single Server Action (for reusability) and return those outputs as Text, but now if I use those outputs as Query inputs I do have SQL Injection warnings ex: 

"SQL Injection. Avoid enabling the Expand Inline property of a SQL Query Parameter since it could make your application vulnerable to SQL injection. Click this message and press F1 to see our recommendations."

Is there a way to declare that those strings are safe?

I've already open Sanitization Extention hoping to find some attibute that defines something like that but it doesn't exist.

Of course other solution is to duplicate the code, but that's the purpose of my Server Action.

Thank U All.

Hi Tiago,

I think that is expected, since you are not using the BuildSafe output directly.

You can of course right-click the warning message in the TrueChange tab and select 'Hide Warning' not to see it any more. This is of course just to hide the message, but I don't think there is much else to do.

Hello Tiago,

You can use the function 'EncondeSql()', that solves your problem. But in terms of security I don't think there's anything developed yet.


Jorge Rodrigues 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.