Show TOC

Prevention of SQL InjectionLocate this document in the navigation structure

SQL injection is one of the most common code injection attack methods, in which malicious SQL statements are inserted to execute unauthorized SQL statements in the database, for example, to read or modify data in the database. When you provide your own implementation, extra attention needs to be paid to prevent SQL injection from happening, depending on your DBMS and DB connection mechanism. For example, ADBC (ABAP database connectivity API) does not provide SAP security features of open SQL.

Use static open SQL statements where possible. Check whether it is absolutely necessary to use dynamic open SQL or dynamic SQL statements in ADBC. If not, switching to static SQL statements will eliminate the risk of an SQL injection. Always validate or encode input for dynamic statements.

If dynamic SQL statements must be used, then use class CL_ABAP_DYN_PRG to implement input checks and escape the input for the dynamic clauses.