SAP SQL INJ DYN TOKENS SCRTY Get Example source ABAP code based on a different SAP tableSAP Help
ARTICLE
SQL Injections Using Dynamic Tokens The
Open SQL syntax allows you to specify every clause of an Open SQL statement as the content of a data object listed in parentheses. If all of part of the content of one of these data objects originates from outside of the program, there is a risk of one of the following SQL injections: Note Example WHERE condition is insecure compared to an SQL injection, if input is an external input, which is not checked or masked beforehand. This is not necessary for the second dynamic WHERE condition. DATA(sql_cond1) = `CARRID = '` <(> <)><(> <)> input <(> <)><(> <)> `'`. Access to non-permitted database tables dbtab_syntax database tables (for the statement SELECT or for writes) originates completely or partially from outside the program, then users could potentially access databases for which they usually do not have authorization. If the use of external input in a dynamic specification of database tables is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with a whitelist. Example CHECK_TABLE_NAME_STR only allows access to tables of the flight data model. Inputs from other or non-existent database tables are rejected. Access to oversized database tables is also not allowed, to avoid putting too much strain on system performance. DATA dbtab TYPE string. Access to non-permitted table columns column_syntax table columns (for the statement SELECT) originates completely or partially from outside the program, then users could potentially access table columns for which they usually do not have authorization. Users could also rename columns without permission or use aggregate functions to perform unauthorized calculations. If the use of external input in a dynamic specification of table columns is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with a whitelist. Note GROUP BY , the same security advice applies as for the dynamic specification of columns directly after SELECT. Example column _syntax. Here only columns from a whitelist are permitted to be read. Manipulation of the dynamic WHERE condition WHERE condition cond_syntax originates completely or partially from outside the program, then users could potentially access data for which they usually do not have authorization. If the use of external input in a dynamic WHERE condition cannot be avoided, the input must be properly checked and usually masked as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG. Note HAVING condition, the same security advice applies as for the dynamic WHERE condition. Example SQL injection is impaired by the ESCAPE_QUOTES method of class CL_ABAP_DYN_PRG . If this method is not used, then if 'x' OR name <(><<)>> '' is entered, for example, all the data in the SCUSTOM table is displayed. DATA name TYPE string. dynamic WHERE condition. Manipulating a change expression expr_syntax (for the statement UPDATE) originates completely or partially from outside the program, then users could potentially change data for which they usually do not have authorization. If the use of external input in a dynamic change expression cannot be avoided, the input must be properly checked and usually masked as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG. Example SQL injection is impaired by the ESCAPE_QUOTES method of class CL_ABAP_DYN_PRG . If this method is not used, then if '...' discount = '90', for example, is entered in one of the input fields, the discount for the relevant customer is set to 90. DATA in TYPE REF TO if_demo_input.
