ARTICLE
Short Reference
sql_cond - ( cond_syntax )
Syntax
... (cond_syntax) ...
Effect
A logical expression can be specified as a parenthesized data object
cond_syntax that contains the syntax of a logical expression or
is initial when the statement is executed. In this way, it is now
possible to specify all logical expressions dynamically, with the
exception of the evaluation of a subquery
.
The logical expression in cond_syntax can also be combined using
AND or OR or negated using NOT . The data object
cond_syntax can be a character-like data object or a
standard table without
secondary table keys and with a
character-like row type. The syntax in cond_syntax is, as in the
ABAP Editor, not case-sensitive. When an internal table is specified,
the syntax can be distributed across multiple rows.
The result of the logical expression (cond_syntax) is determined
by the result of the contained logical expression. If cond_syntax
is initial when the statement is executed, the logical expression is
true.
See SQL Injections Using
Dynamic Tokens .
Notes
It is possible to evaluate an internal table specified after
FOR ALL ENTRIES in a logical
expression since.
It is possible to check a selection table
in a dynamic logical expression.
If cond_syntax is an internal table with a
header line , the
table body is evaluated, and not the
header line.
Dynamic logic expressions can also be created interactively using
free selections .
When a condition is specified dynamically, the syntax check can take
place only at runtime. Therefore, specifying a logical expression at
runtime needs more execution time than a corresponding expression
specified in the program text.
The data objects specified in a dynamic condition should be declared in
the same context, if possible, since searches in higher contexts at
runtime are more unwieldy.
The class CL_ABAP_DYN_PRG contains
methods that support the creation of correct and secure dynamic
WHERE conditions.
Example
Creates a dynamic comparison from user input. In the case of incorrect
syntax or incorrect semantics, exceptions are raised that are handled
using the common superclass. Any SQL
injections are prevented by checks made on the entered column
name. If this were not the case, a user could, for example, enter
"CARRID value OR CARRID" in the field column ,
producing a condition "CARRID value OR CARRID = value" ,
which would be true regardless of the entry made in the field value
.
PARAMETERS: column TYPE c LENGTH 30,
value TYPE c LENGTH 30.
DATA: spfli_tab TYPE TABLE OF spfli,
cond_syntax TYPE string.
AT SELECTION-SCREEN.
TRY.
cl_abap_dyn_prg=>check_column_name( column ).
CATCH cx_abap_invalid_name.
MESSAGE 'Not allowed' TYPE 'E'.
ENDTRY.
START-OF-SELECTION.
cond_syntax = column <(> <)><(> <)> ` = value`.
TRY.
SELECT *
FROM spfli
INTO TABLE spfli_tab
WHERE (cond_syntax).
CATCH cx_sy_dynamic_osql_error.
MESSAGE `Wrong WHERE condition!` TYPE 'I'.
ENDTRY.
Example
Creating a dynamic WHERE condition by chaining user input as
shown below is even more risky than the previous example. Any
SQL injections must be prevented
by transforming quotation marks in the entry value . A user can,
for example, enter "CARRID" in column and "LH' OR
CARRID 'LH" in value , which would produce the
condition "CARRID = 'LH' OR CARRID 'LH'" (always true)
if the quotation marks were not transformed. The transformation produces
the condition "CARRID = 'LH'' OR CARRID ''LH'" . The
handling of consecutive quotation marks in
text field literals results in
the column CARRID being compared precisely with the entered
value, making the result of the condition always false.
PARAMETERS: column TYPE c LENGTH 30,
value TYPE c LENGTH 30.
DATA: spfli_tab TYPE TABLE OF spfli,
cond_syntax TYPE string.
AT SELECTION-SCREEN.
TRY.
cl_abap_dyn_prg=>check_column_name( column ).
CATCH cx_abap_invalid_name.
MESSAGE 'Not allowed' TYPE 'E'.
ENDTRY.
START-OF-SELECTION.
value = cl_abap_dyn_prg=>escape_quotes( value ).
cond_syntax = column <(> <)><(> <)> ` = '` <(> <)><(> <)> value
<(> <)><(> <)> `'`.
TRY.
SELECT *
FROM spfli
INTO TABLE spfli_tab
WHERE (cond_syntax).
CATCH cx_sy_dynamic_osql_error.
MESSAGE `Wrong WHERE condition!` TYPE 'I'.
ENDTRY.
Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved