Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Avoid malicious code in info-set (SQ02)

Mishael
Participant

‎01-12-2022 10:52 AM

Yes, I have a bit of a twisted mind...

I tried to add a SQL DELETE in record processing in an info-set:

(dont worry, it not a productive system) 😛

I'm afraid but it work. I can delete data in table MARA.

Any way to check or exclude some keywords in info-set?

I will continue to investigate...

Misha

Preview file
19 KB
1 REPLY 1

DominikTylczyn
Active Contributor

‎01-12-2022 11:47 AM

0 Kudos

Hello mishael

I'm afraid there is no standard way to prevent malicious code injection in SQ02. That's why info set definition is separated from query definition. Only authorized and trusted users should have access to SQ02 and info sets should be reviewed as any other developments. Also, the 100$ question is how to tell if a code is malicious of not.

As a side note, I was on a project once where consultants and IT was not granted development access but they could build info sets. So they devised a cunning method to test their reports. They just inserted them into an info set query. Seriously, they put entire reports with selection screen, data retrieval, ALV display there. That was the method to test them. Crazy, but true.

Best regards

Dominik Tylczynski