There are two main reasons to ban dynamic clauses in SELECT statements.
The first relates to maintainability. One of the nice features of ABAP Design Time is the connection to the data dictionary; you get syntax errors
if you try to address table fields that are not present anymore or that have typos. With dynamic SQL, the ability to statically check the code for
this type of error is lost.
The other more critical reason relates to security. By definition, dynamic clauses make an application susceptible to SQL injection attacks.
Ask Yourself Whether
- The SQL statement can be written without dynamic clauses.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Do not use dynamic clauses in "SELECT" statements.
Sensitive Code Example
SELECT (select_clause)
FROM (from_clause) CLIENT SPECIFIED INTO <fs>
WHERE (where_clause)
GROUP BY (groupby_clause) HAVING (having_clause)
ORDER BY (orderby_clause).
Compliant Solution
SELECT *
FROM db_persons INTO us_persons
WHERE country IS 'US'.
See
