Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Portability Flaw: Native SQL
Abstract
The use of native SQL causes portability problems.
Explanation
SAP systems are designed to be platform independent. Open SQL, SAP's portable SQL dialect, makes applications independent of a specific database vendor's JDBC driver. Usage of Open SQL abstracts the intricacies of the underlying database, and provides a common interface to application programs for all database operations. However, native SQL is specific to the underlying database and therefore its usage on other platforms may lead to incorrect execution of application logic and potentially a denial of service.
Example 1: The following code uses native SQL:
Example 1: The following code uses native SQL:
...
import java.sql.PreparedStatement;
import com.sap.sql.NativeSQLAccess;
String mssOnlyStmt = "...";
// variant 1
PreparedStatement ps =
NativeSQLAccess.prepareNativeStatement(
conn, mssOnlyStmt);
. . .
// variant 2
Statement stmt =
NativeSQLAccess.createNativeStatement(conn);
int result = stmt.execute(mssOnlyStmt);
. . .
// variant 3
CallableStatement cs =
NativeSQLAccess.prepareNativeCall(
conn, mssOnlyStmt);
. . .
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 474
desc.structural.java.portability_flaw_native_sql