web
You’re offline. This is a read only version of the page.
close
Skip to main content
News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / any article or white p...
Microsoft Dynamics CRM (Archived)

any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

(0) ShareShare
ReportReport
Posted on by wtoh

Hi,

Recently a customer has engaged 3rd vendor to conduct penetration test and there is an issue raise regarding "application allows input of anomaly syntax to various functions of the web application. eg. % ^ * & ( ) ".

I'm pretty sure CRM SDK already handles such syntax such that to prevent any attack such as SQL Injection. However, is there any MSDN Article or white paper (official documents from MS) to state such prevention are built in the SDK framework?

Thanks!

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at
    RE: any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

    what is the architecture of your CRM solution? do you plugins? early bound or last bound?

    for the second statement it's clear by Microsoft that you souldn't communicate with the Database directly unless their will not be any support from Microsot

  • wtoh Profile Picture
    wtoh on at
    RE: any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

    Hi Jawad,

    I'm aware of the first link, and the only relevant statements were:

    Server-side development

    Best practices for developing server-side code for Microsoft Dynamics CRM include the following:

    • Do not modify the Microsoft Dynamics CRM database by any means other than using the SDK because this bypasses the Microsoft Dynamics CRM security model.

    • Adhere to the requirement of not accessing Microsoft Dynamics CRM databases directly through SQL Server Enterprise Manager. Bypassing the SDK can open you up to SQL injection threats.

    As for the second link, it doesn't relate directly to CRM SDK.

    I think I will report the 2 statements from the first link to customer and see if it is acceptable. If no, i might have to log a case with MS just to have a statement.

    Thanks!

  • Community Member Profile Picture
    Community Member on at
    RE: any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

    Hi William,

    you can begin by take a look to this msdn article:

    msdn.microsoft.com/.../gg509027.aspx

    Also article below :

    blogs.msdn.com/.../preventing-sql-injection-with-the-entity-framework-and-data-services.aspx

  • Community Member Profile Picture
    Community Member on at
    RE: any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

    Any luck on the white paper?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Dynamics 365 Community Calls Return
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft
Responsible AI policies for the Community

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Andrés Arias – Community Spotlight

We are honored to recognize Andrés Arias as our Community Spotlight honoree for…

Congratulations to the August Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
Community Member Profile Picture

Community Member 2

#2
Christoph Pock Profile Picture

Christoph Pock 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans