Kontakt

Ansicht
Dokumentation

ABENSQL_INJ_DYN_TOKENS_SCRTY - SQL INJ DYN TOKENS SCRTY

ABENSQL_INJ_DYN_TOKENS_SCRTY - SQL INJ DYN TOKENS SCRTY

BAL Application Log Documentation   Addresses (Business Address Services)  
This documentation is copyright by SAP AG.
SAP E-Book

SQL Injections Using Dynamic Tokens

The syntax allows almost every clause of an statement to be specified dynamically as the content of a data object specified in parentheses. If all of part of the content of one of these data objects originates from outside of the program, there is a risk of one of the following SQL injections:

Note

In a dynamic token, it is more secure to specify the name of an ABAP data object as an operand, instead of entering a value as a literal.

Example

The first dynamic WHERE condition is insecure compared to an SQL injection, if input is an external input, which is not checked or escaped beforehand. This is not necessary for the second dynamic WHERE condition.

DATA(sql_cond1) = `CARRID = '` && input && `'`.
SELECT SINGLE * FROM scarr WHERE (sql_cond1) INTO @wa.

DATA(sql_cond2) = `CARRID = @input`.
SELECT SINGLE * FROM scarr WHERE (sql_cond2) INTO @wa.

Access to Non-Permitted Database Tables

If dynamically specified database tables source_syntax (for the statement SELECT or target_syntax for writes) originate in full or in part from outside the program, users could potentially access databases for which they usually do not have authorization. If the use of external input in dynamically specified database tables is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with a include list.

Example

In the following program section, the method CHECK_TABLE_NAME_STR only allows access to tables of the flight data model. Input from other or nonexistent database tables are rejected. Access to oversized database tables is also not allowed, to avoid putting too much strain on system performance.

Access to Non-Permitted Table Columns

If the dynamically specified table columns column_syntax in the SELECT list of the statement SELECT originate fully or in part from outside the program, users could potentially access table columns for which they usually do not have authorization. Users could also rename columns without permission or use aggregate functions to perform unauthorized calculations. If the use of external input in a dynamically specified table columns is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with an include list.

Note

When specifying columns after GROUP BY, the same security advice applies as to columns specified dynamically directly after SELECT.

Example

See the example in column _syntax. Here only columns from an include list are allowed to be read.

Manipulation of the Dynamic WHERE Condition

If a dynamic WHERE condition cond_syntax originates completely or partially from outside the program, then users could potentially access data for which they usually do not have authorization. If the use of external input in a dynamic WHERE condition cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.

Note

When dynamically specifying a HAVING condition, the same security advice applies as for the dynamic WHERE condition.

Example

In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if "x' OR name <> '" is entered, for example, all the data in the SCUSTOM table would be displayed.

More examples under dynamic WHERE condition.

Manipulation of a Dynamic Change Expression

If a dynamic change expression expr_syntax (for the statement UPDATE) originates completely or partially from outside the program, then users could potentially change data for which they usually do not have authorization. If the use of external input in a dynamic change expression cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.

Example

In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if "...' discount = '90", for example, is entered in one of the input fields, the discount for the relevant customer would be set to 90.






RFUMSV00 - Advance Return for Tax on Sales/Purchases   PERFORM Short Reference  
This documentation is copyright by SAP AG.

Length: 6073 Date: 20240425 Time: 182714     sap01-206 ( 111 ms )