Question1Replies67Views×Close popoverBalamurali Krishnan (BalamuraliKrishnan) Accenture Accenture SG View Profile BalamuraliKrishnan Member since 2020 2 posts Accenture Posted: October 5, 2020Last activity: October 30, 2020Posted: 5 Oct 2020 11:22 EDTLast activity: 30 Oct 2020 9:38 EDT SQL Injectionhttps://community.pega.com/sites/default/files/help_v731/security/best-practices/sec-security-guidelines-custom-HTML-ref.htm>> Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. <<Can some help to understand, to avoid SQL injection we should not use Dynamic SQL statements which is parameterized to use User Input. Am i right?If my Connect SQL is not having parameterized queries of User Input. Is it safe to use? or should we always prefer to use Obj methods. Pega Platform Security ×Close popoverFacebookTwitterLinkedinEmail Copy Link Copied! Posted: 2 months agoPosted: 30 Oct 2020 9:38 EDT×Close popoverBrad Tainter (Br@dTainter_GCS) PEGA Client Solutions Fellow Pegasystems Inc. US View ProfileBr@dTainter_GCS PEGA replied to BalamuraliKrishnanHi Balamurali,As per https://community.pega.com/knowledgebase/articles/security/84/security-guidelines-custom-html, Replace dynamic SQL statements with prepared statements that have parameterized queries to prevent possible SQL injection. So yes to your first question. Regarding your second question, the Obj- methods are preferred. You just want to avoid Connect SQL with dynamic parameters as that could potentially be manipulated to cause an injection.