SAP SQL INJ DYN TOKENS SCRTY



Get Example source ABAP code based on a different SAP table
  



SQL Injections Using Dynamic Tokens
The AB_SQL syntax allows almost every clause of an AB-SQL statement to be specified dynamically as the content of a data object specified in parentheses. If all of part of the content of one of these data objects originates from outside of the program, there is a risk of one of the following SQL injections:
ITOC



Latest notes:
In a dynamic token, it is more secure to specify the name of an ABAP data object as an operand, instead of entering a value as a literal.
ABAP_HINT_END



Example ABAP Coding

The first dynamic WHERE condition is insecure compared to an SQL injection, if input is an external input, which is not checked or escaped beforehand. This is not necessary for the second dynamic WHERE condition. DATA(sql_cond1) = `CARRID = '` input `'`.
SELECT SINGLE * FROM scarr WHERE (sql_cond1) INTO @wa.

DATA(sql_cond2) = `CARRID = @input`.
SELECT SINGLE * FROM scarr WHERE (sql_cond2) INTO @wa.
ABAP_EXAMPLE_END

Access to Non-Permitted Database Tables
If dynamically specified database tables source_syntax (for the statement SELECT or target_syntax for writes) originate in full or in part from outside the program, users could potentially access databases for which they usually do not have authorization. If the use of external input in dynamically specified database tables is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with a include list.



Example ABAP Coding

In the following program section, the method CHECK_TABLE_NAME_STR only allows access to tables of the flight data model. Input from other or nonexistent database tables are rejected. Access to oversized database tables is also not allowed, to avoid putting too much strain on system performance.
ABEXA 01275
ABAP_EXAMPLE_END

Access to Non-Permitted Table Columns
If the dynamically specified table columns column_syntax in the SELECT list of the statement SELECT originate fully or in part from outside the program, users could potentially access table columns for which they usually do not have authorization. Users could also rename columns without permission or use aggregate functions to perform unauthorized calculations. If the use of external input in a dynamically specified table columns is unavoidable, the input must be properly checked. For example, the class CL_ABAP_DYN_PRG can be used to make a comparison with an include list.



Latest notes:
When specifying columns after GROUP BY , the same security advice applies as to columns specified dynamically directly after SELECT.
ABAP_HINT_END



Example ABAP Coding

See the example in column _syntax. Here only columns from an include list are allowed to be read.
ABAP_EXAMPLE_END

Manipulation of the Dynamic <(>WHERE<)> Condition
If a dynamic WHERE condition cond_syntax originates completely or partially from outside the program, then users could potentially access data for which they usually do not have authorization. If the use of external input in a dynamic WHERE condition cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.



Latest notes:
When dynamically specifying a HAVING condition, the same security advice applies as for the dynamic WHERE condition.
ABAP_HINT_END



Example ABAP Coding

In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if x' OR name <> ' is entered, for example, all the data in the SCUSTOM table would be displayed.
ABEXA 01276
More examples under dynamic WHERE condition.
ABAP_EXAMPLE_END

Manipulation of a Dynamic Change Expression
If a dynamic change expression expr_syntax (for the statement UPDATE ) originates completely or partially from outside the program, then users could potentially change data for which they usually do not have authorization. If the use of external input in a dynamic change expression cannot be avoided, the input must be properly checked and usually escaped as well. To do this, you can sue the methods of class CL_ABAP_DYN_PRG.



Example ABAP Coding

In the following program section, a potential SQL injection is prevented by using the method QUOTE of the class CL_ABAP_DYN_PRG, which adds quotation marks at the beginning and end. If this method is not used, and if ...' discount = '90, for example, is entered in one of the input fields, the discount for the relevant customer would be set to 90.
ABEXA 01277
ABAP_EXAMPLE_END