ARTICLE
SQL Injections Using Object Services
Filter conditions are passed to a query
as character strings in the query
service in the Object Services
If a filter condition like this (or part of it) originates
outside the program, the same risk of an SQL injection is
incurred as when a dynamic WHERE condition is manipulated in
Open SQL . To prevent SQL
injection s of this nature, either parameters from a parameter list or
must be used or dynamic parts escaped using the class
CL_ABAP_DYN_PRG .
Example
The example program DEMO_QUERY_SERVICE
is secure, since the interactive input is passed to the query using
parameter bindings. If the source code after the statement TRY is
replaced as follows, however, SQL injection s are possible:
TRY.
query_manager = cl_os_system=>get_query_manager( ).
query = query_manager->create_query(
i_filter = `AIRPFROM = '` <(> <)><(> <)> airpfrom
<(> <)><(> <)>
`' AND AIRPTO = '` <(> <)><(> <)> airpto
<(> <)><(> <)> `'` ).
connections =
agent->if_os_ca_persistency~get_persistent_by_query(
i_query = query ).
...
If airpfrom and airpto contain the values " FRA' OR
AIRPFROM ' " and " SIN' OR AIRPTO ' ", for
example, all existing data is read. If no parameter bindings are used,
therefore, airpfrom and airpto must be escaped.
query = query_manager->create_query(
i_filter = `AIRPFROM = '` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( airpfrom ) <(> <)>
<(> <)>
`' AND AIRPTO = '` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( airpto ) <(> <)>
`'` ).
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved