Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

MAJOR MAJOR BUG!!! SQL Injection possible using DI Server

My collegue is testing my SBO application which uses the DI Server. I was under the impression that DI Server only allows select statements, but that is not true!! I suspect that the DI Server only checks whether the query starts with 'SELECT'. If that's so, then the statement can be executed.

So what if you do this?

SELECT 1; DELETE FROM OITM

This would be a valid statement, but it will also delete your entire item table. You can execute stored procedures, drop tables and do everything you'd like.

More info about SQL injection:

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Former Member
replied

I am not sure this is so easily doable. How can be possible to detect from code whether a script writes the DB ? in a productive environment I mean, with no big impact on performances.

In general this is a problem you will find every time there is an API insisting on a DB and with some validation logic in it. It will be always possible to go directly into the DB with an ODBC connection and break the validation logic in the API.

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question