16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
49 lines
1.1 KiB
Plaintext
49 lines
1.1 KiB
Plaintext
There are two main reasons to ban dynamic clauses in ``++SELECT++`` statements.
|
|
|
|
|
|
The first relates to maintainability. One of the nice features of ABAP Design Time is the connection to the data dictionary; you get syntax errors if you try to address table fields that are not present anymore or that have typos. With dynamic SQL, the ability to statically check the code for this type of error is lost.
|
|
|
|
|
|
The other more critical reason relates to security. By definition, dynamic clauses make an application susceptible to SQL injection attacks.
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
SELECT (select_clause)
|
|
FROM (from_clause) CLIENT SPECIFIED INTO <fs>
|
|
WHERE (where_clause)
|
|
GROUP BY (groupby_clause) HAVING (having_clause)
|
|
ORDER BY (orderby_clause).
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
[source,abap]
|
|
----
|
|
SELECT *
|
|
FROM db_persons INTO us_persons
|
|
WHERE country IS 'US'.
|
|
----
|
|
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure dynamic clauses are required here.
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|