CQL query built from user-controlled sources

If a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.

Recommendation

CAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. Injections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.

Examples

This CAP application uses user submitted input as entity and column in a CQL query without any validation.

const entity = <from user input>
const column = <from user input>
SELECT.from(entity).columns(column)

References

OWASP: SQL Injection.
OWASP: SQL Injection Cheat Sheet.
SAP CAPire Documentation: Security Aspects.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CQL query built from user-controlled sources

Recommendation

Examples

References

FilesExpand file tree

CqlInjection.md

Latest commit

History

CqlInjection.md

File metadata and controls

CQL query built from user-controlled sources

Recommendation

Examples

References