web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / any article or white p...
Microsoft Dynamics CRM (Archived)

any article or white paper regarding CRM SDK already has measures to prevent SQL injection?

(0) ShareShare
ReportReport
Posted on by wtoh

Hi,

Recently a customer has engaged 3rd vendor to conduct penetration test and there is an issue raise regarding "application allows input of anomaly syntax to various functions of the web application. eg. % ^ * & ( ) ".

I'm pretty sure CRM SDK already handles such syntax such that to prevent any attack such as SQL Injection. However, is there any MSDN Article or white paper (official documents from MS) to state such prevention are built in the SDK framework?

Thanks!

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at

    Any luck on the white paper?

  • Community Member Profile Picture
    Community Member on at

    Hi William,

    you can begin by take a look to this msdn article:

    msdn.microsoft.com/.../gg509027.aspx

    Also article below :

    blogs.msdn.com/.../preventing-sql-injection-with-the-entity-framework-and-data-services.aspx

  • wtoh Profile Picture
    wtoh on at

    Hi Jawad,

    I'm aware of the first link, and the only relevant statements were:

    Server-side development

    Best practices for developing server-side code for Microsoft Dynamics CRM include the following:

    • Do not modify the Microsoft Dynamics CRM database by any means other than using the SDK because this bypasses the Microsoft Dynamics CRM security model.

    • Adhere to the requirement of not accessing Microsoft Dynamics CRM databases directly through SQL Server Enterprise Manager. Bypassing the SDK can open you up to SQL injection threats.

    As for the second link, it doesn't relate directly to CRM SDK.

    I think I will report the 2 statements from the first link to customer and see if it is acceptable. If no, i might have to log a case with MS just to have a statement.

    Thanks!

  • Community Member Profile Picture
    Community Member on at

    what is the architecture of your CRM solution? do you plugins? early bound or last bound?

    for the second statement it's clear by Microsoft that you souldn't communicate with the Database directly unless their will not be any support from Microsot

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans