Ansicht
Dokumentation

ABENWHERE_LOGEXP_DYNAMIC - WHERE LOGEXP DYNAMIC

ABENWHERE_LOGEXP_DYNAMIC - WHERE LOGEXP DYNAMIC

ABAP Short Reference   RFUMSV00 - Advance Return for Tax on Sales/Purchases  
This documentation is copyright by SAP AG.
SAP E-Book

- (cond_syntax)

Short Reference

... (cond_syntax) ...

Effect

A relational expression can be specified dynamically as a parenthesized data object cond_syntax that contains the syntax of a logical expression sql_cond valid here or is initial when the statement is executed. The result of the relational expression (cond_syntax) is determined by the result of the logical expression it contains. If cond_syntax is initial when the statement is executed, the relational expression is true.

The data object cond_syntax can be a character-like data object or a standard table with a character-like line type. The syntax in cond_syntax is not case-sensitive as in the static syntax. When specifying an internal table, the syntax can be distributed across multiple rows. Invalid syntax raises a catchable exception from the class CX_SY_DYNAMIC_OSQL_ERROR.

The logical expression in cond_syntax can be joined using AND or OR or negated using NOT and a dynamic logical expression (cond_syntax) can be specified as a single relational expression of a composite logical expression. Host expressions are not allowed in dynamic logical expressions.

If a dynamic SQL condition (cond_syntax) is used for a read, the content of cond_syntax is evaluated once for each query. Any changes made to the content of cond_syntax in a SELECT loop or WITH loop are ignored by the relational expression. See SQL Injections Using Dynamic Tokens.

Notes

  • It is also possible to evaluate an internal table specified after the addition FOR ALL ENTRIES of a main query in a dynamic relational expression.
  • It is possible to check a ranges table in a dynamic relational expression.
  • If cond_syntax is an internal table with a header line, the table body is evaluated, and not the header line.
  • Dynamic relational expressions can also be created interactively using dynamic selections.
  • When a condition is specified dynamically, the syntax check can take place only at runtime. Therefore, specifying a relational expression at runtime requires more execution time than a corresponding specification specified in the program text.
  • The data objects specified in a dynamic condition should be declared in the same context, if possible, since searches in higher contexts at runtime are more time-consuming.
  • The class CL_ABAP_DYN_PRG contains methods that support the creation of correct and secure dynamic SQL conditions.
  • In dynamic SQL conditions, static attributes or constants of a class cannot be accessed from outside in cases where the class has a static constructor and the constructor was not yet executed.
  • When a subquery is specified dynamically, the syntax check is performed in a strict mode, which handles the statement more strictly than the regular syntax check.
  • If the conditions in (cond_syntax) are to be expressed statically, they should be embedded in parentheses in order to preserve the priority of processing.

Example

Creation of a dynamic comparison from user input. In the case of incorrect syntax or incorrect semantics, exceptions are raised that are handled using the common superclass. Any SQL injections are prevented by checks on the specified column name. If this were not the case, a user could, for example, enter "CARRID <> value OR CARRID" in the field column, producing a condition "CARRID <> value OR CARRID = value", which would be true regardless of the entry made in the field value.

Example

The following creation of a dynamic WHERE condition by concatenating the values of user input as shown below is even more risky than the previous example. Any SQL injections must be prevented by transforming quotation marks in the entry value. A user can, for example, enter "CARRID" in column and "LH' OR CARRID <> 'LH" in value, which would produce the always true condition "CARRID = 'LH' OR CARRID <> 'LH'" if the quotation marks were not transformed. After the conversion using the method QUOTE of the class CL_ABAP_DYN_PRG, which also adds quotation marks at the beginning and end, the condition "CARRID = 'LH'' OR CARRID <> ''LH'" is created. The handling of consecutive quotation marks in text field literals results in the column CARRID being compared exactly with the entered value, making the result of the condition always false.






ROGBILLS - Synchronize billing plans   General Data in Customer Master  
This documentation is copyright by SAP AG.

Length: 6915 Date: 20240328 Time: 215807     sap01-206 ( 118 ms )