Data entered by the user is one of the main vulnerabilities of a programme.

Never use that data as-is or it can easily turn against you in an SQL injection or some other form of exploit. Always make sure you escape it to make it safe.

SAP already has several function modules and classes to help out on this. Like class CL_ABAP_DYN_PRG. But it’s probably more elegant to use string function escape.

For example, this guarantees that an URL is safe to use:

data(unsafe_url) = 'http://abapinho.com/a b c'.
data(safe_url) = escape( val = unsafe_url format = cl_abap_format=>e_url ).

Try running programmes DEMO_ESCAPE_* to get an idea of what it can do. And also look at class CL_ABAP_FORMAT to get to know all possible formatting algorithms.

Thank you Marcin Wichary for the photo.

Greetings from Abapinho.