Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

MAJOR MAJOR BUG!!! SQL Injection possible using DI Server

My collegue is testing my SBO application which uses the DI Server. I was under the impression that DI Server only allows select statements, but that is not true!! I suspect that the DI Server only checks whether the query starts with 'SELECT'. If that's so, then the statement can be executed.

So what if you do this?


This would be a valid statement, but it will also delete your entire item table. You can execute stored procedures, drop tables and do everything you'd like.

More info about SQL injection:

Former Member

I am not sure this is so easily doable. How can be possible to detect from code whether a script writes the DB ? in a productive environment I mean, with no big impact on performances.

In general this is a problem you will find every time there is an API insisting on a DB and with some validation logic in it. It will be always possible to go directly into the DB with an ODBC connection and break the validation logic in the API.

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question