Ansicht
Dokumentation
ABENSQL_INJ_ADBC_SCRTY - SQL INJ ADBC SCRTY
CPI1466 during Backup PERFORM Short ReferenceThis documentation is copyright by SAP AG.
SQL Injections Using ADBC
When ADBC is used, SQL statements are passed as strings to objects of class ADBC and then passed on to the database system. If all of part of one of these SQL statements originates from outside of the program, there is a risk of an SQL injection.
To prevent SQL Injections, make sure that SQL statements passed to ADBC contain as few parts as possible that originate from outside of the program. If the statements do contain parts from outside the program, the content of these parts should not be chained to the SQL statement. Instead these content should be addressed using the ? placeholder and the associated SET_PARAM methods. If this is not possible, the parts from outside must be checked using the CL_ABAP_DYN_PRG class and escaped if necessary.
Example
In the following program section, the key value key (entered from outside ) is chained to the SQL statement. It must therefore be escaped using the method QUOTE (which also adds quotation marks at the start and at the end), to prevent SQL injections.
Example
In this example, the same functionality is used as in the previous example. Here it is not necessary to mask the value, because the input is connected to a parameter (and not chained).
BAL_S_LOG - Application Log: Log header data rdisp/max_wprun_time - Maximum work process run time
This documentation is copyright by SAP AG.
Length: 1569 Date: 20240329 Time: 123004 sap01-206 ( 42 ms )