Ansicht
Dokumentation
ABENSQL_INJ_DYN_TOKENS_SCRTY - SQL INJ DYN TOKENS SCRTY
BAL Application Log Documentation Addresses (Business Address Services)This documentation is copyright by SAP AG.
SQL Injections Using Dynamic Tokens
The syntax allows almost every clause of an statement to be specified dynamically as the content of a data object specified in parentheses. If all of part of the content of one of these data objects originates from outside of the program, there is a risk of one of the following SQL injections:
Note
In a dynamic token, it is more secure to specify the name of an ABAP data object as an operand, instead of entering a value as a literal.
Example
The first dynamic WHERE condition is insecure compared to an SQL injection, if input is an external input, which is not checked or escaped beforehand. This is not necessary for the second dynamic WHERE condition.
DATA(sql_cond1) = `CARRID = '` && input && `'`.
SELECT SINGLE * FROM scarr WHERE (sql_cond1) INTO @wa.
DATA(sql_cond2) = `CARRID = @input`.
SELECT SINGLE * FROM scarr WHERE (sql_cond2) INTO @wa.
Access to Non-Permitted Database Tables
If dynamically specified database tables source_syntax (for the statement SELECT or target_syntax for writes) originate in full or in part from outside the program, users could potentially access databases for which they usually do not have authorization. If the use of external input in dynamically specified database tables is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with a include list.
Example
In the following program section, the method CHECK_TABLE_NAME_STR only allows access to tables of the flight data model. Input from other or nonexistent database tables are rejected. Access to oversized database tables is also not allowed, to avoid putting too much strain on system performance.
Access to Non-Permitted Table Columns
If the dynamically specified table columns column_syntax in the SELECT list of the statement SELECT originate fully or in part from outside the program, users could potentially access table columns for which they usually do not have authorization. Users could also rename columns without permission or use aggregate functions to perform unauthorized calculations. If the use of external input in a dynamically specified table columns is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with an include list.
Note
When specifying columns after GROUP BY, the same security advice applies as to columns specified dynamically directly after SELECT.
Example
See the example in column _syntax. Here only columns from an include list are allowed to be read.
Manipulation of the Dynamic WHERE Condition
If a dynamic WHERE condition cond_syntax originates completely or partially from outside the program, then users could potentially access data for which they usually do not have authorization. If the use of external input in a dynamic WHERE condition cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.
Note
When dynamically specifying a HAVING condition, the same security advice applies as for the dynamic WHERE condition.
Example
In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if "x' OR name <> '" is entered, for example, all the data in the SCUSTOM table would be displayed.
More examples under dynamic WHERE condition.
Manipulation of a Dynamic Change Expression
If a dynamic change expression expr_syntax (for the statement UPDATE) originates completely or partially from outside the program, then users could potentially change data for which they usually do not have authorization. If the use of external input in a dynamic change expression cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.
Example
In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if "...' discount = '90", for example, is entered in one of the input fields, the discount for the relevant customer would be set to 90.
RFUMSV00 - Advance Return for Tax on Sales/Purchases PERFORM Short Reference
This documentation is copyright by SAP AG.
Length: 6073 Date: 20240425 Time: 182714 sap01-206 ( 111 ms )