ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks
Cross-Client Database Access
Each client is a self-contained unit.
Implicit client handling in
ABAP SQL ensures that application
programs can only access the business data in the current client by default. In ABAP SQL, using the
USING to switch
to different clients or using the obsolete addition
CLIENT SPECIFIED to disable implicit client handling can be viewed as a critical attack on the security of data in other clients.
In Native SQL and AMDP, there is no implicit client handling and the client in question must be specified explicitly in the access conditions. Here, specifying a client other than the current client entails accessing foreign data.
Cross-client access to database tables is permitted only in system programs in the system client.
7.31 | 7.40 | 7.54
See also the programming guidelines for client handling.
The following program section permits a user to access customer data in any client. This should be avoided at all costs.
DATA client TYPE sy-mandt. client = sy-mandt. cl_demo_input=>request( CHANGING field = client ). SELECT * FROM scustom USING CLIENT @client INTO TABLE @DATA(customers). cl_demo_output=>display( customers ).