Preventing SQL Injection in HANA
Most of the developers creating HANA calculation views or Stored procedures use input parameters that are used in a SQL query to retrieve data from HANA tables. It is important to parse the input parameter before they can be used so as to prevent the SQL injections in the code. A safe way to prevent SQL injection is to created a utility Procedure that will do the same for you. This can be reused in different procedures as and when needed.
Example:
Start with creating a new stored procedure by the name GET_QUERY_QUOTE. Input Parameter IV_FILTER_STRING NVARCHAR 256. Output Parameter QUOTE_T with QUOTE NVARCHAR 256
/********* Begin Procedure Script ************/
BEGIN
QUOTE_T = SELECT REPLACE(:IV_FILTER_STRING, ””, ”””) AS QUOTE FROM DUMMY;
END;
/********* End Procedure Script ************/
This procedure will prevent intentional SQL injection of code into your procedure.
Is it really important in the following scenarios:
- Calculation Views are read only - how is it relevant there?
- In a stored procedure the SQL statements are pre-compiled ( except for dynamic SQL ) is it really possible to use SQL-Injection in a stored procedure (with write permissions) but no dynamic SQL?