Parameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.
There are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.
These functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses ((?)), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.
If you are using the older API that belongs to $.db, consider replacing string concatentation with $.db.executeQuery. For example, the following XSJS application substitutes the value of someParameterValue1 and someParameterValue2 into the position of the first and second placeholder positions, respectively.
let query = "INSERT INTO (?) (COL1) VALUES (?)";
let dbConnection = $.db.getConnection();
dbConnection.executeQuery(query, someParameterValue1, someParameterValue2);If you are using the newer API that belongs to $.hdb, consider replacing string concatentation with $.hdb.Connection.prepareStatement followed by $.db.PreparedStatement.executeUpdate. For example, the following XSJS application substitues the value of someParameterValue1 and someParameterValue2 into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.
let query = "INSERT INTO (?) (COL1) VALUES (?)";
let dbConnection = $.db.getConnection();
let preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);
preparedStatement.executeUpdate();
dbConnection.commit();Each of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.
let someParameterValue1 = JSON.parse(requestParameters.get("someParameter1"));
let someParameterValue2 = JSON.parse(requestParameters.get("someParameter2"));
let query = "INSERT INTO " + someParameterValue1 + ".ENTITY (COL1) VALUES (" + someParameterValue2 + ")";
let dbConnection = $.db.getConnection();
let preparedStatement = dbConnection.prepareStatement(query);
preparedStatement.executeUpdate();
dbConnection.commit();let someParameterValue1 = JSON.parse(requestParameters.get("someParameter1"));
let someParameterValue2 = JSON.parse(requestParameters.get("someParameter2"));
let query = "INSERT INTO " + someParameterValue1 + " (COL1) VALUES (" + someParameterValue2 + ")";
let dbConnection = $.db.getConnection();
dbConnection.executeQuery(query);
dbConnection.commit();- SAP: Server-Side JavaScript Security Considerations.
- SAP: Server-Side JavaScript: Injection Flaws .
- OWASP: SQL Injection.
- Common Weakness Enumeration: CWE-89.
- Common Weakness Enumeration: CWE-943.