Get Example source ABAP code based on a different SAP table
ARTICLE
SQL Injections Using Object Services Filter conditions are passed to a query as character strings in the query service in the Object Services If a filter condition like this (or part of it) originates outside the program, the same risk of an SQL injection is incurred as when a dynamic WHERE condition is manipulated in Open SQL. To prevent SQL injections of this nature, either parameters from a parameter list or must be used or dynamic parts escaped using the class CL_ABAP_DYN_PRG.
Example The example program DEMO_QUERY_SERVICE is secure, since the interactive input is passed to the query using parameter bindings. If the source code after the statement TRY is replaced as follows, however, SQL injections are possible: TRY. query_manager = cl_os_system=>get_query_manager( ). query = query_manager->create_query( i_filter = `AIRPFROM = '` <(> <)><(> <)> airpfrom <(> <)><(> <)> `' AND AIRPTO = '` <(> <)><(> <)> airpto <(> <)><(> <)> `'` ). connections = agent->if_os_ca_persistency~get_persistent_by_query( i_query = query ). ... If airpfrom and airpto contain the values 'FRA' OR AIRPFROM <(><<)>> '' and 'SIN' OR AIRPTO <(><<)>> '', for example, all existing data is read. If no parameter bindings are used, therefore, airpfrom and airpto must be escaped. query = query_manager->create_query( i_filter = `AIRPFROM = '` <(> <)><(> <)> cl_abap_dyn_prg=>escape_quotes( airpfrom ) <(> <)> <(> <)> `' AND AIRPTO = '` <(> <)><(> <)> cl_abap_dyn_prg=>escape_quotes( airpto ) <(> <)> <(> <)> `'` ).