Skip to content

ABAP Keyword Documentation →  ABAP - Security Notes →  Security Risks Caused by Input from Outside →  SQL Injections 

SQL Injections Using ADBC

When ADBC is used, SQL statements are passed as strings to objects of class ADBC and then passed on to the database system. If all of part of one of these SQL statements originates from outside of the program, there is a risk of an SQL injection.

To prevent SQL Injections, make sure that SQL statements passed to ADBC contain as few parts as possible that originate from outside of the program. If the statements do contain parts from outside the program, the contents of these parts should not be chained to the SQL statement. Instead these contents should be addressed using the ? placeholder and the associated SET_PARAM methods. If this is not possible, the parts from outside must be checked using the CL_ABAP_DYN_PRG class and masked if necessary.

Other versions: 7.31 | 7.40 | 7.54


Example

In the following program section, the key value key (entered from outside ) is chained to the SQL statement. It must therefore be masked using the method QUOTE (which also adds quotation marks at the start and at the end), to prevent SQL injections.

DATA key TYPE string. 
cl_demo_input=>request( CHANGING field = key ). 

TRY. 
    DATA(result) = NEW cl_sql_statement( )->execute_query( 
          `SELECT carrname ` && 
          `FROM scarr ` && 
          `WHERE mandt  = ` && `'` && sy-mandt && `' AND` && 
          `      carrid = ` && 
          cl_abap_dyn_prg=>quote( to_upper( key ) ) ). 
    DATA name TYPE scarr-carrname. 
    result->set_param( REF #( name ) ). 
    result->next( ). 
    cl_demo_output=>display( name ). 
  CATCH cx_sql_exception INTO DATA(err). 
    cl_demo_output=>display( err->get_text( ) ). 
ENDTRY.

Example

In this example, the same functionality is used as in the previous example. Here it is not necessary to mask the value, because the input is connected to a parameter (and not chained).

DATA key TYPE string. 
cl_demo_input=>request( CHANGING field = key ). 

TRY. 
    DATA(sql) = NEW cl_sql_statement( ). 
    sql->set_param( REF #( sy-mandt ) ). 
    sql->set_param( REF #( key ) ). 
    DATA(result) = sql->execute_query( 
          `SELECT carrname ` && 
          `FROM scarr ` && 
          `WHERE mandt  = ? AND carrid = ?` ). 
    DATA name TYPE scarr-carrname. 
    result->set_param( REF #( name ) ). 
    result->next( ). 
    cl_demo_output=>display( name ). 
  CATCH cx_sql_exception INTO DATA(err). 
    cl_demo_output=>display( err->get_text( ) ). 
ENDTRY.