Проверка на SQL Injection

Пример с формированием строки Where через стандартные классы:

"Fill Criteria For Example
DATA(ls_comp_refkey_ranges) = VALUE ace_comp_specific_obj_ranges(  ).

ls_comp_refkey_ranges-tabname = 'MARA'.
ls_comp_refkey_ranges-field_ranges = VALUE #( ( fieldname  = 'MATNR'
                                                fieldrange = VALUE #( ( sign   = 'I'
                                                                        option = 'EQ'
                                                                        low    = cl_abap_dyn_prg=>quote_str( '1' ) ) ) ) ).

"Generate Dynamic Where
DATA(lt_where_clauses) = VALUE rsds_where_tab( ).
cl_ace_generic_services=>convert_generic_ranges(
   EXPORTING
     is_comp_ranges   = ls_comp_refkey_ranges
   IMPORTING
     et_where_clauses = lt_where_clauses[]
).

DATA(lt_where_clauses_str) = VALUE string_table( ).
DATA(lt_whitelist_tab) = VALUE string_hashed_table( ).

*  avoid SQL injection
LOOP AT lt_where_clauses ASSIGNING FIELD-SYMBOL(<ls_where_clauses>).
  DATA(lv_str) = <ls_where_clauses>-line.
  APPEND lv_str TO lt_where_clauses_str.
  INSERT condense( lv_str ) INTO TABLE lt_whitelist_tab.
ENDLOOP.

TRY .
    cl_abap_dyn_prg=>mass_check_whitelist_tab(
      EXPORTING
        values     = lt_where_clauses_str
        whitelist  = lt_whitelist_tab
      RECEIVING
        values_ret = lt_where_clauses_str
    ).
  CATCH cx_abap_not_in_whitelist.
    RETURN.
ENDTRY.

SELECT *
  INTO TABLE @DATA(lt_mara)
  FROM mara
 WHERE (lt_where_clauses_str).

"Fill Criteria For Example

DATA(ls_comp_refkey_ranges) = VALUE ace_comp_specific_obj_ranges( ).

ls_comp_refkey_ranges-tabname = 'MARA'.

ls_comp_refkey_ranges-field_ranges = VALUE #( ( fieldname = 'MATNR'

fieldrange = VALUE #( ( sign = 'I'

option = 'EQ'

low = cl_abap_dyn_prg=>quote_str( '1' ) ) ) ) ).

"Generate Dynamic Where

DATA(lt_where_clauses) = VALUE rsds_where_tab( ).

cl_ace_generic_services=>convert_generic_ranges(

EXPORTING

is_comp_ranges = ls_comp_refkey_ranges

IMPORTING

et_where_clauses = lt_where_clauses[]

DATA(lt_where_clauses_str) = VALUE string_table( ).

DATA(lt_whitelist_tab) = VALUE string_hashed_table( ).

* avoid SQL injection

LOOP AT lt_where_clauses ASSIGNING FIELD-SYMBOL(<ls_where_clauses>).

DATA(lv_str) = <ls_where_clauses>-line.

APPEND lv_str TO lt_where_clauses_str.

INSERT condense( lv_str ) INTO TABLE lt_whitelist_tab.

ENDLOOP.

TRY .

cl_abap_dyn_prg=>mass_check_whitelist_tab(

EXPORTING

values = lt_where_clauses_str

whitelist = lt_whitelist_tab

RECEIVING

values_ret = lt_where_clauses_str

CATCH cx_abap_not_in_whitelist.

RETURN.

ENDTRY.

SELECT *

INTO TABLE @DATA(lt_mara)

FROM mara

WHERE (lt_where_clauses_str).

Если условие формируется вручную, можно использовать cl_abap_dyn_prg=>check_whitelist_tab:

"Generate Dynamic Where
DATA(lv_where) = |MARA~MATNR = { cl_abap_dyn_prg=>quote_str( val = '1' ) } AND MARA~LVORM = { cl_abap_dyn_prg=>quote_str( val = 'X' ) }|.
DATA(lt_whitelist_tab) = VALUE string_hashed_table( ).

*  avoid SQL injection
INSERT condense( lv_where ) INTO TABLE lt_whitelist_tab[].

TRY .
  DATA(lv_where_white) =
    cl_abap_dyn_prg=>check_whitelist_tab(
      EXPORTING
        val       = lv_where
        whitelist = lt_whitelist_tab[]
    ).
  CATCH cx_abap_not_in_whitelist.
    RETURN.
ENDTRY.

SELECT *
  INTO TABLE @DATA(lt_mara)
  FROM mara
 WHERE (lv_where_white).

"Generate Dynamic Where

DATA(lv_where) = |MARA~MATNR = { cl_abap_dyn_prg=>quote_str( val = '1' ) } AND MARA~LVORM = { cl_abap_dyn_prg=>quote_str( val = 'X' ) }|.

DATA(lt_whitelist_tab) = VALUE string_hashed_table( ).

* avoid SQL injection

INSERT condense( lv_where ) INTO TABLE lt_whitelist_tab[].

TRY .

DATA(lv_where_white) =

cl_abap_dyn_prg=>check_whitelist_tab(

EXPORTING

val = lv_where

whitelist = lt_whitelist_tab[]

CATCH cx_abap_not_in_whitelist.

RETURN.

ENDTRY.

SELECT *

INTO TABLE @DATA(lt_mara)

FROM mara

WHERE (lv_where_white).