Skip to Content

SQL Injection flaws via ODATA

Hi All,

I was reading through the below link:

» SAP HANA XS Interview Questions and Answers

This link quotes the below:

Qs. What is benefit of XOData compared to XSJS?

In HANA XSOData, there is a OData framework which provide many functionalities and we only need to provide details like data source, association etc. This is very helpful for developers as coding effort is almost zero. OData framework also takes care of security aspects like SQL injection, XSRF etc.

While in XSJS, we need to code everything our own. This results into more coding effort. We also need to take care of security aspects, performance etc.

Since this not an official SAP website, I would like some confirmation on whether the XSODATA indeed offers protection against SQL Injection flaws.

Let me know.


Shyam Uthaman

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Aug 29, 2016 at 09:08 AM


    It does not provide protection against SQL injection flaws.

    It does, however, provide you with the tools to project yourself against it.

    An example:

    when calling a server side javascript program with url parameters and you use these parameters to construct an SQL query which is executed on the DB itself.

    Like @Thomas Jung mentioned in the post Calling Procedure from XSJS | SCN

    You should work with prepared statements instead of concatenating the parameters directly in the SQL string to be executed.

    var conn = $.db.getConnection();

    var pstmt;

    var rs;

    var query =


         FROM "SYS"."ROLES"

         WHERE "CREATOR" = ?

         ORDER BY "ROLE_NAME" ';

    pstmt = conn.prepareStatement(query);

    pstmt.setString(1, '_SYS_REPO');

    rs = pstmt.executeQuery();

    SAP wrote a good reference document as well:

    Best Regards

    Jonathan Belliot

    Add comment
    10|10000 characters needed characters exceeded