SAP SQL INJ ADBC SCRTY
Get Example source ABAP code based on a different SAP table
ARTICLE
When
To prevent
Example
In the following program section, the key value
cl_demo_input=>request( CHANGING field = key ).
TRY.
DATA(result) = NEW cl_sql_statement( )->execute_query(
`SELECT carrname ` <(> <)><(> <)>
`FROM scarr ` <(> <)><(> <)>
`WHERE mandt = ` <(> <)><(> <)> `'` <(> <)><(> <)> sy-mandt <(> <)><(> <)> `' AND` <(> <)><(> <)>
` carrid = ` <(> <)><(> <)> `'` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( to_upper( key ) ) <(> <)> <(> <)> `'` ).
DATA name TYPE scarr-carrname.
result->set_param( REF #( name ) ).
result->next( ).
cl_demo_output=>display( name ).
CATCH cx_sql_exception INTO DATA(err).
cl_demo_output=>display( err->get_text( ) ).
ENDTRY.
Example
In this example, the same functionality is used as in the previous example. Here it is not necessary to mask the value, because the input is connected to a parameter (and not chained). DATA key TYPE string.
cl_demo_input=>request( CHANGING field = key ).
TRY.
DATA(sql) = NEW cl_sql_statement( ).
sql->set_param( REF #( sy-mandt ) ).
sql->set_param( REF #( key ) ).
DATA(result) = sql->execute_query(
`SELECT carrname ` <(> <)><(> <)>
`FROM scarr ` <(> <)><(> <)>
`WHERE mandt = ? AND carrid = ?` ).
DATA name TYPE scarr-carrname.
result->set_param( REF #( name ) ).
result->next( ).
cl_demo_output=>display( name ).
CATCH cx_sql_exception INTO DATA(err).
cl_demo_output=>display( err->get_text( ) ).
ENDTRY.