Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
0 Kudos
3,853

Most of the developers creating HANA calculation views or Stored procedures use input parameters that are used in a SQL query to retrieve data from HANA tables. It is important to parse the input parameter before they can be used so as to prevent the SQL injections in the code. A safe way to prevent SQL injection is to created a utility Procedure that will do the same for you. This can be reused in different procedures as and when needed.

Example:

Start with creating a new stored procedure by the name GET_QUERY_QUOTE. Input Parameter IV_FILTER_STRING NVARCHAR 256. Output Parameter QUOTE_T with QUOTE NVARCHAR 256

/********* Begin Procedure Script ************/

BEGIN

QUOTE_T = SELECT REPLACE(:IV_FILTER_STRING, '''', '''''') AS QUOTE FROM DUMMY;

END;

/********* End Procedure Script ************/

This procedure will prevent intentional SQL injection of code into your procedure.

1 Comment
0 Kudos
Is it really important in the following scenarios:

- Calculation Views are read only - how is it relevant there?

- In a stored procedure the SQL statements are pre-compiled ( except for dynamic SQL ) is it really possible to use SQL-Injection in a stored procedure (with write permissions) but no dynamic SQL?