sapdev logo background
sapdev logo sapdev logo
Comments

SAP WHERE LOGEXP DYNAMIC documentation, setup help and example usage



Return to SAP documentation index


ARTICLE
Short Reference

sql_cond - ( cond_syntax )

Syntax
... (cond_syntax) ...

Effect
A logical expression can be specified as a parenthesized data object cond_syntax that contains the syntax of a logical expression or is initial when the statement is executed. In this way, it is now possible to specify all logical expressions dynamically, with the exception of the evaluation of a subquery
.
The logical expression in cond_syntax can also be combined using AND or OR or negated using NOT . The data object cond_syntax can be a character-like data object or a standard table without secondary table keys and with a character-like row type. The syntax in cond_syntax is, as in the ABAP Editor, not case-sensitive. When an internal table is specified, the syntax can be distributed across multiple rows.
The result of the logical expression (cond_syntax) is determined by the result of the contained logical expression. If cond_syntax
is initial when the statement is executed, the logical expression is true. See SQL Injections Using Dynamic Tokens .

Notes
  • It is possible to evaluate an internal table specified after FOR ALL ENTRIES in a logical expression since.

  • It is possible to check a selection table

    • in a dynamic logical expression.
  • If cond_syntax is an internal table with a header line , the table body is evaluated, and not the header line.

  • Dynamic logic expressions can also be created interactively using free selections .

  • When a condition is specified dynamically, the syntax check can take place only at runtime. Therefore, specifying a logical expression at runtime needs more execution time than a corresponding expression specified in the program text.

  • The data objects specified in a dynamic condition should be declared in the same context, if possible, since searches in higher contexts at runtime are more unwieldy.

  • The class CL_ABAP_DYN_PRG contains methods that support the creation of correct and secure dynamic

    • WHERE conditions.

    Example
    Creates a dynamic comparison from user input. In the case of incorrect syntax or incorrect semantics, exceptions are raised that are handled using the common superclass. Any SQL injections are prevented by checks made on the entered column name. If this were not the case, a user could, for example, enter
    "CARRID value OR CARRID" in the field column , producing a condition "CARRID value OR CARRID = value" , which would be true regardless of the entry made in the field value
    .
    PARAMETERS: column TYPE c LENGTH 30,
    value TYPE c LENGTH 30.

    DATA: spfli_tab TYPE TABLE OF spfli,
    cond_syntax TYPE string.

    AT SELECTION-SCREEN.
    TRY.
    cl_abap_dyn_prg=>check_column_name( column ).
    CATCH cx_abap_invalid_name.
    MESSAGE 'Not allowed' TYPE 'E'.
    ENDTRY.

    START-OF-SELECTION.

    cond_syntax = column <(> <)><(> <)> ` = value`.

    TRY.
    SELECT *
    FROM spfli
    INTO TABLE spfli_tab
    WHERE (cond_syntax).
    CATCH cx_sy_dynamic_osql_error.
    MESSAGE `Wrong WHERE condition!` TYPE 'I'.
    ENDTRY.

    Example
    Creating a dynamic WHERE condition by chaining user input as shown below is even more risky than the previous example. Any SQL injections must be prevented by transforming quotation marks in the entry value . A user can, for example, enter "CARRID" in column and "LH' OR CARRID 'LH" in value , which would produce the condition "CARRID = 'LH' OR CARRID 'LH'" (always true) if the quotation marks were not transformed. The transformation produces the condition "CARRID = 'LH'' OR CARRID ''LH'" . The handling of consecutive quotation marks in text field literals results in the column CARRID being compared precisely with the entered value, making the result of the condition always false.
    PARAMETERS: column TYPE c LENGTH 30,
    value TYPE c LENGTH 30.

    DATA: spfli_tab TYPE TABLE OF spfli,
    cond_syntax TYPE string.


    AT SELECTION-SCREEN.
    TRY.
    cl_abap_dyn_prg=>check_column_name( column ).
    CATCH cx_abap_invalid_name.
    MESSAGE 'Not allowed' TYPE 'E'.
    ENDTRY.

    START-OF-SELECTION.

    value = cl_abap_dyn_prg=>escape_quotes( value ).
    cond_syntax = column <(> <)><(> <)> ` = '` <(> <)><(> <)> value <(> <)><(> <)> `'`.

    TRY.
    SELECT *
    FROM spfli
    INTO TABLE spfli_tab
    WHERE (cond_syntax).
    CATCH cx_sy_dynamic_osql_error.
    MESSAGE `Wrong WHERE condition!` TYPE 'I'.
    ENDTRY.
    Documentation extract taken from SAP system, � Copyright SAP AG. All rights reserved




    WHERE_LOGEXP_COMPARE
    WHERE_LOGEXP_EXISTS




    comments powered by Disqus
    SAP Development ABAP SAP Reporting Data Dictionary Search Helps SAP Tables
    Contact Us Partners Terms of Service Privacy Policy Advertise Resources