Classe para garantir segurança em programação dinâmica
I recently found a program which was generating an SQL statement by concatenating several variables with fixed SQL parts. But, either by not paying attention or simple ignorance, the person who did it, thought it would make sense to associate a text-symbol to each of these variables with. Something like this:
l_where = 'WHERE a = 3'(001).
Needless to say, this is a serious security flaw. Mr. Robot could take advantage of the situation and, by using the translation tool, inject malicious SQL in the program. You can learn more and find examples about SQL injection at Guru99.
It is always important to keep security in mind when working with dynamic code.
Class CL_ABAP_DYN_PRG can help you do this (and much more). The class is full of small utility methods which you should know about because they can be useful when you least expect:
-
CHECK_INT_VALUE
-
ESCAPE_QUOTES
-
ESCAPE_QUOTES_STR
-
QUOTE
-
QUOTE_STR
-
CHECK_COLUMN_NAME
-
CHECK_VARIABLE_NAME
-
CHECK_TABLE_NAME_STR
-
CHECK_TABLE_NAME_TAB
-
CHECK_TABLE_OR_VIEW_NAME_STR
-
CHECK_WHITELIST_STR
-
CHECK_WHITELIST_TAB
-
CHECK_TABLE_OR_VIEW_NAME_TAB
-
ESCAPE_XSS_XML_HTML
-
ESCAPE_XSS_JAVASCRIPT
-
ESCAPE_XSS_CSS
-
ESCAPE_XSS_URL
-
CHECK_CHAR_LITERAL
-
CHECK_STRING_LITERAL
Most of the methods names are self-explanatory but, if you have questions, the class is reasonably well documented.
None of these methods would solve the above example. But in the case in which you expect a value like:
"'Maria'"
…to add it to an SQL statement, you must be sure that what you get is not something like:
"'Maria'. DELETE MARA WHERE MATNR <> 'John'"
And to make sure that doesn’t happen, you can use method CL_ABAP_DYN_PRG=>ESCAPE_QUOTES(), for example.
Greetings from Abapinho.