Skip to Content

Most of the developers creating HANA calculation views or Stored procedures use input parameters that are used in a SQL query to retrieve data from HANA tables. It is important to parse the input parameter before they can be used so as to prevent the SQL injections in the code. A safe way to prevent SQL injection is to created a utility Procedure that will do the same for you. This can be reused in different procedures as and when needed.

Example:

Start with creating a new stored procedure by the name GET_QUERY_QUOTE. Input Parameter IV_FILTER_STRING NVARCHAR 256. Output Parameter QUOTE_T with QUOTE NVARCHAR 256

/********* Begin Procedure Script ************/

BEGIN

QUOTE_T = SELECT REPLACE(:IV_FILTER_STRING, ””, ”””) AS QUOTE FROM DUMMY;

END;

/********* End Procedure Script ************/

Capture.JPG

This procedure will prevent intentional SQL injection of code into your procedure.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply