Ansicht
Dokumentation

ABENSQL_INJ_ADBC_SCRTY - SQL INJ ADBC SCRTY

ABENSQL_INJ_ADBC_SCRTY - SQL INJ ADBC SCRTY

CPI1466 during Backup   PERFORM Short Reference  
This documentation is copyright by SAP AG.
SAP E-Book

SQL Injections Using ADBC

When ADBC is used, SQL statements are passed as strings to objects of class ADBC and then passed on to the database system. If all of part of one of these SQL statements originates from outside of the program, there is a risk of an SQL injection.

To prevent SQL Injections, make sure that SQL statements passed to ADBC contain as few parts as possible that originate from outside of the program. If the statements do contain parts from outside the program, the content of these parts should not be chained to the SQL statement. Instead these content should be addressed using the ? placeholder and the associated SET_PARAM methods. If this is not possible, the parts from outside must be checked using the CL_ABAP_DYN_PRG class and escaped if necessary.

Example

In the following program section, the key value key (entered from outside ) is chained to the SQL statement. It must therefore be escaped using the method QUOTE (which also adds quotation marks at the start and at the end), to prevent SQL injections.

Example

In this example, the same functionality is used as in the previous example. Here it is not necessary to mask the value, because the input is connected to a parameter (and not chained).






BAL_S_LOG - Application Log: Log header data   rdisp/max_wprun_time - Maximum work process run time  
This documentation is copyright by SAP AG.

Length: 1569 Date: 20240329 Time: 123004     sap01-206 ( 42 ms )