2023 Jun 13 7:03 PM
Hi experts,
I want a piece of sample code Or exact method to remove above mentioned vulnerability in my program
Here below I shown one dummy example of my code:
Ls_field-field1= name
Append ls_field to lt_field
Ls_field-field2 = number
Append ls_field to lt_field
Select name number from mara into lt_mara group by (lt_field).
2023 Jun 13 7:26 PM
Please have a look at cl_abap_dyn_prg=>check_whitelist_str
2023 Jun 13 7:26 PM
Please have a look at cl_abap_dyn_prg=>check_whitelist_str
2023 Jun 14 8:05 AM
ATC is just sending a warning about possible SQL injection:
group by (lt_field)
ATC asks you: are you sure that the contents of LT_FIELD can't come from user input, are you sure that this input has been checked?
(if not checked, see Manfred answer)
If you confirm that it's done, then add the pragma indicated by ATC. (one word preceded with double hash character ##)
But, first of all, is a dynamic list of column names mandatory? Try to use a static list of columns after GROUP BY, like:
group by name number
2023 Jun 14 8:05 AM
Please edit your question (Actions>Edit), select your code and press the button [CODE], which makes the code appear colored/indented, it'll be easier for people to look at it. Thanks!