Maximo Automationscript

SQL Injection

The method MboSet.setWhere(String query) should not be invoked with concatenated strings such as

"wonum = '" + wonum + "' and siteid = '" + siteid + "'"

since this brings the risk of SQL Injection. Instead, the construct psdi.mbo.SqlFormat should be used:

import psdi.mbo.SqlFormat;

var sqlf = new SqlFormat("wonum = :1 and siteid = :2");
sqlf.setObject(1, "WORKORDER", "WONUM", wonum);
sqlf.setObject(2, "WORKORDER", "SITEID", siteid);
var whereClause = sqlf.format();
someMboSet.setWhere(whereClause);