ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks
Cross-Client Database Access
Each client is a self-contained unit. The automatic
client handling in
Open SQL function ensures
that application programs can only access the business data in the current client. In Open SQL, switching
off automatic client handling using the addition
CLIENT SPECIFIED or switching
to a different client using the addition
USING CLIENT can be considered as access to foreign data that is critical for security.
In Native SQL, there is no automatic client handling and the client in question must be specified explicitly in the access conditions. Here, specifying a client other than the current client entails accessing foreign data.
Cross-client access to database tables is permitted only in system programs in the system client .
7.31 | 7.40 | 7.54
See also the programming guidelines for client handling.
The following program excerpts permit a user to access customer data in any client. This should be avoided at all costs.
DATA client TYPE sy-mandt. client = sy-mandt. cl_demo_input=>request( CHANGING field = client ). SELECT * FROM scustom USING CLIENT @client INTO TABLE @DATA(customers1). cl_demo_output=>display( customers1 ). SELECT * FROM scustom CLIENT SPECIFIED WHERE mandt = @client INTO TABLE @DATA(customers2). cl_demo_output=>display( customers2 ).