SAP SQL INJ ADBC SCRTY

Get Example source ABAP code based on a different SAP table

SQL Injections Using ADBC
When ADBC is used, SQL statements are passed as strings to objects of class ADBC and then passed on to the database system. If all of part of one of these SQL statements originates from outside of the program, there is a risk of an SQL injection.
To prevent SQL Injections, make sure that SQL statements passed to ADBC contain as few parts as possible that originate from outside of the program. If the statements do contain parts from outside the program, the content of these parts should not be chained to the SQL statement. Instead these content should be addressed using the ? placeholder and the associated SET_PARAM methods. If this is not possible, the parts from outside must be checked using the CL_ABAP_DYN_PRG class and escaped if necessary.

Example ABAP Coding

In the following program section, the key value key (entered from outside ) is chained to the SQL statement. It must therefore be escaped using the method QUOTE (which also adds quotation marks at the start and at the end), to prevent SQL injections.
ABEXA 01273
ABAP_EXAMPLE_END

Example ABAP Coding

In this example, the same functionality is used as in the previous example. Here it is not necessary to mask the value, because the input is connected to a parameter (and not chained).
ABEXA 01274
ABAP_EXAMPLE_END