ABAP Keyword Documentation → ABAP - Security Notes → Security Risks Caused by Input from Outside → SQL Injections
SQL Injections Using Object Services
Filter conditions are passed to a query as character strings in the
query service in the
Object Services. If
a filter condition like this (or part of it) originates outside the program, the same risk of an SQL injection is incurred as when a dynamic
WHERE condition is manipulated in
ABAP SQL. To prevent SQL injections of this
nature, either parameters from a parameter list or must be used or parts escaped using the class CL_ABAP_DYN_PRG.
7.31 | 7.40 | 7.54
The executable example DEMO_QUERY_SERVICE is secure,
since the interactive input is passed to the query using parameter bindings. If the source code after the statement
TRY is replaced as follows, however, SQL injections are possible:
query_manager = cl_os_system=>get_query_manager( ).
query = query_manager->create_query(
i_filter = `AIRPFROM = '` && airpfrom &&
`' AND AIRPTO = '` && airpto && `'` ).
i_query = query ).
airpto contain the values
"FRA' OR AIRPFROM <> '" and
"SIN' OR AIRPTO <> '", for example, all existing data is read. If no
parameter bindings are used, therefore,
airpto must be escaped.
i_filter = `AIRPFROM = ` &&
cl_abap_dyn_prg=>quote( airpfrom ) &&
` AND AIRPTO = ` &&
cl_abap_dyn_prg=>quote( airpto ) ).