SQL Injection for Updating Orders

Discussions concerning general integration topics.

Moderator: Phil Barton

Post Reply
timothymeyer16
Posts: 37
Joined: Mon Jun 14, 2021 9:47 am

SQL Injection for Updating Orders

Post by timothymeyer16 »

In an effort to create faster Order-Updating tools, we tried experimenting with updating order information via SQL.

For Example - here we tried changing the order status:

Code: Select all

// SQL CODE
begin tran
  
  use Dev_SelectDb
  Update [pf].[OrderInfo]
  set OrderStatus = '7'
  where Number = '161078-XD-AL-RR-KV'
  go

  update pf.SearchOrder
  set OrderStatus = '7'
  where Number = '161078-XD-AL-RR-KV'
  go

  update pfm.[Order]  
  set Status = '7'
  where Number = '161078-XD-AL-RR-KV'

  --commit
  --rollback


This worked in terms of updating the Database. The change Reflected.


1.PNG
1.PNG (90.81 KiB) Viewed 2847 times

However, the change did not occur in the GUI. Is there any documentation how an order pulls in order Info in the GUI?

2.PNG
2.PNG (132.5 KiB) Viewed 2847 times
BobRichards
Posts: 1376
Joined: Wed Jan 15, 2014 3:50 pm
Location: Raleigh, NC
Contact:

Re: SQL Injection for Updating Orders

Post by BobRichards »

The order does not generally read from pf or pfm tables to restore its value. Information in these tables is automatically updated when the order is saved by mid-tier "order saving" logic. These tables are primarily for certain reports, search information, and information associated with the Select order environment (lookups, policies, etc.). In other words, order data flows to the SQL tables but not back into the order.

Modifying any Select SQL tables is not allowed and may result in improper operation including failure to perform. You are encouraged to read table information if necessary - but DO NOT modify.

Sorry about the rude red but we would never want to go back to the old days (a prior product) when third-party users did all kinds of experimenting with SQL modification that totally messed up our orders and version upgrade processes. It was a mess. There are pros and cons for both approaches but we opted for the most stable product. I hope you understand. :)
Bob Richards, Senior Software Developer, SoftPro
timothymeyer16
Posts: 37
Joined: Mon Jun 14, 2021 9:47 am

Re: SQL Injection for Updating Orders

Post by timothymeyer16 »

We understand, thank you for the detailed response.
Post Reply