> Ok I just tried to do it and it doesn't work because ofbiz validates the
> field names, which is great.  Here's what I tried:
>
> opportunitiesOrderBy=opportunityStageId;delete%20from%20party%20where%201=1
>
> Results in:
>
> Target exception: org.ofbiz.entity.GenericModelException: Field with
> name opportunityStageId;delete from party where 1=1 not found in the
> PartyRelationshipAndSalesOpportunity Entity
>
> So there is no need to worry about using request parameters directly in
> the entity engine API.
>
> - Leon
>
>
>
> Leon Torres wrote:
>
>> How robust is the entity engine API against sql injection attacks?  
>> Consider the following scenario:
>>
>> // get the field to order by from the request parameters
>> orderByField = parameters.get("orderByField");
>> if (orderByField == null || orderByField.trim().length() == 0) {
>>   orderByFeild = "partyId"; // default
>> }
>>
>> ...
>>
>> parties = delegator.findByAnd("Party", conditions,
>> UtilMisc.toList(orderByField)); // order by this field
>>
>>
>> What happens if the user tries to inject SQL into the orderByField
>> parameter? Is there a risk?  Should I be protecting myself by
>> validating the orderByField parameter or does ofbiz/JDBC already do this?
>>
>> - Leon
>>
>