rspec/rules/S1493/abap/rule.adoc

There are two main reasons to ban dynamic clauses in ``++SELECT++`` statements. 


The first relates to maintainability. One of the nice features of ABAP Design Time is the connection to the data dictionary; you get syntax errors if you try to address table fields that are not present anymore or that have typos. With dynamic SQL, the ability to statically check the code for this type of error is lost. 


The other more critical reason relates to security. By definition, dynamic clauses make an application susceptible to SQL injection attacks.


include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
SELECT (select_clause) 
 FROM (from_clause) CLIENT SPECIFIED INTO <fs> 
 WHERE (where_clause) 
 GROUP BY (groupby_clause) HAVING (having_clause) 
 ORDER BY (orderby_clause). 
----


== Compliant Solution

[source,abap]
----
SELECT *
 FROM db_persons INTO us_persons
 WHERE country IS 'US'.
----


include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure dynamic clauses are required here.


endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			There are two main reasons to ban dynamic clauses in ``++SELECT++`` statements.


			`The first relates to maintainability. One of the nice features of ABAP Design Time is the connection to the data dictionary; you get syntax errors if you try to address table fields that are not present anymore or that have typos. With dynamic SQL, the ability to statically check the code for this type of error is lost.`


			`The other more critical reason relates to security. By definition, dynamic clauses make an application susceptible to SQL injection attacks.`


			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`SELECT (select_clause)`
			`FROM (from_clause) CLIENT SPECIFIED INTO <fs>`
			`WHERE (where_clause)`
			`GROUP BY (groupby_clause) HAVING (having_clause)`
			`ORDER BY (orderby_clause).`
			`----`


			`== Compliant Solution`

			`[source,abap]`
			`----`
			`SELECT *`
			`FROM db_persons INTO us_persons`
			`WHERE country IS 'US'.`
			`----`


			`include::../see.adoc[]`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure dynamic clauses are required here.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`