Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Wants to resolve ATC check error-Potential sql injection-Group by

sun_light
Explorer
0 Kudos
1,103

Hi experts,

I want a piece of sample code Or exact method to remove above mentioned vulnerability in my program

Here below I shown one dummy example of my code:

Ls_field-field1= name
Append ls_field to lt_field
Ls_field-field2 = number
Append ls_field to lt_field
Select name number from mara into lt_mara group by (lt_field).
1 ACCEPTED SOLUTION

manfred_reinart
Product and Topic Expert
Product and Topic Expert
0 Kudos
817

Please have a look at cl_abap_dyn_prg=>check_whitelist_str

3 REPLIES 3

manfred_reinart
Product and Topic Expert
Product and Topic Expert
0 Kudos
818

Please have a look at cl_abap_dyn_prg=>check_whitelist_str

Sandra_Rossi
Active Contributor
0 Kudos
817

ATC is just sending a warning about possible SQL injection:

group by (lt_field)

ATC asks you: are you sure that the contents of LT_FIELD can't come from user input, are you sure that this input has been checked?

(if not checked, see Manfred answer)

If you confirm that it's done, then add the pragma indicated by ATC. (one word preceded with double hash character ##)

But, first of all, is a dynamic list of column names mandatory? Try to use a static list of columns after GROUP BY, like:

group by name number

Sandra_Rossi
Active Contributor
817

Please edit your question (Actions>Edit), select your code and press the button [CODE], which makes the code appear colored/indented, it'll be easier for people to look at it. Thanks!