ARTICLE
SQL Injections Using ADBC
When ADBC is used, SQL statements
are passed as strings to objects of class ADBC and then passed on
to the database system. If all of part of one of these SQL
statements originates from outside of the program, there is a risk of an
SQL injection .
To prevent SQL Injections , make sure that SQL statements
passed to ADBC contain as few dynamic parts as possible that
originate from outside of the program. If the statements do contain
sections from outside the program, the contents of these parts should
not be chained to the SQL statement. Instead these contents
should be addressed using the ? placeholder and the associated
SET_PARAM methods. If this is not possible, the dynamic sections
must be checked using the CL_ABAP_DYN_PRG
class and masked if necessary.
Example
In the following program section, the key value key (inputted
externally) is chained to the SQL statement. It must therefore be
masked using the method ESCAPE_QUOTES , to avoid an SQL
injection.
DATA key TYPE string.
cl_demo_input=>request( CHANGING field = key ).
TRY.
DATA(result) = NEW cl_sql_statement( )->execute_query(
`SELECT carrname ` <(> <)><(> <)>
`FROM scarr ` <(> <)><(> <)>
`WHERE mandt = ` <(> <)><(> <)> `'` <(> <)><(> <)> sy-mandt
<(> <)><(> <)> `' AND` <(> <)><(> <)>
` carrid = ` <(> <)><(> <)> `'` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( to_upper( key ) ) <(> <)>
<(> <)> `'` ).
DATA name TYPE scarr-carrname.
result->set_param( REF #( name ) ).
result->next( ).
cl_demo_output=>display( name ).
CATCH cx_sql_exception INTO DATA(err).
cl_demo_output=>display( err->get_text( ) ).
ENDTRY.
Example
In this example, the same functionality is used as in the previous
example. Here it is not necessary to mask the value, because the input
is connected to a parameter (and not chained).
DATA key TYPE string.
cl_demo_input=>request( CHANGING field = key ).
TRY.
DATA(sql) = NEW cl_sql_statement( ).
sql->set_param( REF #( sy-mandt ) ).
sql->set_param( REF #( key ) ).
DATA(result) = sql->execute_query(
`SELECT carrname ` <(> <)><(> <)>
`FROM scarr ` <(> <)><(> <)>
`WHERE mandt = ? AND carrid = ?` ).
DATA name TYPE scarr-carrname.
result->set_param( REF #( name ) ).
result->next( ).
cl_demo_output=>display( name ).
CATCH cx_sql_exception INTO DATA(err).
cl_demo_output=>display( err->get_text( ) ).
ENDTRY.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved