cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SQL Injection flaws via ODATA

Go to solution
shyam_uthaman
Participant

on ‎10-27-2015 3:08 PM

0 Kudos

Hi All,

I was reading through the below link:

» SAP HANA XS Interview Questions and Answers

This link quotes the below:



Qs. What is benefit of XOData compared to XSJS?


In HANA XSOData, there is a OData framework which provide many functionalities and we only need to provide details like data source, association etc. This is very helpful for developers as coding effort is almost zero. OData framework also takes care of security aspects like SQL injection, XSRF etc.


While in XSJS, we need to code everything our own. This results into more coding effort. We also need to take care of security aspects, performance etc.

Since this not an official SAP website, I would like some confirmation on whether the XSODATA indeed offers protection against SQL Injection flaws.

Let me know.

Thanks,

Shyam Uthaman

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-29-2016 10:08 AM
0 Kudos

Hi,

It does not provide protection against SQL injection flaws.

It does, however, provide you with the tools to project yourself against it.

An example:

when calling a server side javascript program with url parameters and you use these parameters to construct an SQL query which is executed on the DB itself.

Like mentioned in the post Calling Procedure from XSJS | SCN

You should work with prepared statements instead of concatenating the parameters directly in the SQL string to be executed.

var conn = $.db.getConnection();

var pstmt;

var rs;

var query =

     'SELECT "ROLE_NAME", "ROLE_ID", "ROLE_MODE", "GLOBAL_IDENTITY", "CREATOR", "CREATE_TIME"

     FROM "SYS"."ROLES"

     WHERE "CREATOR" = ?

     ORDER BY "ROLE_NAME" ';

pstmt = conn.prepareStatement(query);

pstmt.setString(1, '_SYS_REPO');

rs = pstmt.executeQuery();

SAP wrote a good reference document as well:

     http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf

Best Regards

Jonathan Belliot

Show replies
Show replies
thomas_jung
Developer Advocate
Developer Advocate
‎08-29-2016 10:35 AM
0 Kudos

TThe generic XSODATA, regardless of what was already posted incorrectly in this thread, does protect against SQL Injection.

Former Member
‎08-29-2016 10:53 AM
0 Kudos

The XS OData does provide protection against SQL injection but the SSJS does not.

However the info about SSJS is still correct even tho it might not be an answer to the question.

My bad

shyam_uthaman
Participant
‎08-29-2016 10:59 AM
0 Kudos

Thanks for the answer. And Thank you for reviving this 1 year old question of mine. Forgot about the question completely.

Former Member
‎08-29-2016 12:20 PM
0 Kudos

Too bad I wasn't helpfull

Answers (0)

Ask a Question