on 10-27-2015 3:08 PM
Hi All,
I was reading through the below link:
» SAP HANA XS Interview Questions and Answers
This link quotes the below:
Qs. What is benefit of XOData compared to XSJS?
In HANA XSOData, there is a OData framework which provide many functionalities and we only need to provide details like data source, association etc. This is very helpful for developers as coding effort is almost zero. OData framework also takes care of security aspects like SQL injection, XSRF etc.
While in XSJS, we need to code everything our own. This results into more coding effort. We also need to take care of security aspects, performance etc.
Since this not an official SAP website, I would like some confirmation on whether the XSODATA indeed offers protection against SQL Injection flaws.
Let me know.
Thanks,
Shyam Uthaman
Hi,
It does not provide protection against SQL injection flaws.
It does, however, provide you with the tools to project yourself against it.
An example:
when calling a server side javascript program with url parameters and you use these parameters to construct an SQL query which is executed on the DB itself.
Like mentioned in the post Calling Procedure from XSJS | SCN
You should work with prepared statements instead of concatenating the parameters directly in the SQL string to be executed.
var conn = $.db.getConnection();
var pstmt;
var rs;
var query =
'SELECT "ROLE_NAME", "ROLE_ID", "ROLE_MODE", "GLOBAL_IDENTITY", "CREATOR", "CREATE_TIME"
FROM "SYS"."ROLES"
WHERE "CREATOR" = ?
ORDER BY "ROLE_NAME" ';
pstmt = conn.prepareStatement(query);
pstmt.setString(1, '_SYS_REPO');
rs = pstmt.executeQuery();
SAP wrote a good reference document as well:
http://help.sap.com/hana/SAP_HANA_Developer_Guide_en.pdf
Best Regards
Jonathan Belliot
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.