SAP SQL INJ OS QUERY SCRTY documentation, setup help and usage info

ARTICLE

SQL Injections Using Object Services
Filter conditions are passed to a query as character strings in the query service in the Object Services
If a filter condition like this (or part of it) originates outside the program, the same risk of an SQL injection is incurred as when a dynamic WHERE condition is manipulated in Open SQL . To prevent SQL injection s of this nature, either parameters from a parameter list or must be used or dynamic parts escaped using the class CL_ABAP_DYN_PRG .

Example
The example program DEMO_QUERY_SERVICE
is secure, since the interactive input is passed to the query using parameter bindings. If the source code after the statement TRY is replaced as follows, however, SQL injection s are possible:
TRY.
query_manager = cl_os_system=>get_query_manager( ).
query = query_manager->create_query(
i_filter = `AIRPFROM = '` <(> <)><(> <)> airpfrom <(> <)><(> <)>
`' AND AIRPTO = '` <(> <)><(> <)> airpto <(> <)><(> <)> `'` ).
connections =
agent->if_os_ca_persistency~get_persistent_by_query(
i_query = query ).
...
If airpfrom and airpto contain the values " FRA' OR AIRPFROM ' " and " SIN' OR AIRPTO ' ", for example, all existing data is read. If no parameter bindings are used, therefore, airpfrom and airpto must be escaped.
query = query_manager->create_query(
i_filter = `AIRPFROM = '` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( airpfrom ) <(> <)>
<(> <)>
`' AND AIRPTO = '` <(> <)><(> <)>
cl_abap_dyn_prg=>escape_quotes( airpto ) <(> <)>
`'` ).

SAP SQL INJ OS QUERY SCRTY documentation, setup help and example usage