Most of the developers creating HANA calculation views or Stored procedures use input parameters that are used in a SQL query to retrieve data from HANA tables. It is important to parse the input parameter before they can be used so as to prevent the SQL injections in the code. A safe way to prevent SQL injection is to created a utility Procedure that will do the same for you. This can be reused in different procedures as and when needed.
Example:
Start with creating a new stored procedure by the name GET_QUERY_QUOTE. Input Parameter IV_FILTER_STRING NVARCHAR 256. Output Parameter QUOTE_T with QUOTE NVARCHAR 256
/********* Begin Procedure Script ************/
BEGIN
QUOTE_T = SELECT REPLACE(:IV_FILTER_STRING, '''', '''''') AS QUOTE FROM DUMMY;
END;
/********* End Procedure Script ************/
This procedure will prevent intentional SQL injection of code into your procedure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Kudos |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
User | Count |
---|---|
12 | |
11 | |
10 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 |