Hey guys,
i am currently coding a tool which should be used for automatic pattern detection in data. The patterns are defined by a user in single tables which my services can read. My approach now is to procress the data in this tables and to create data inquiries and control logic automatically.
I already can build dynamic SQL Select statements, but now i have to store the retrieved data in new tables, table types or other formats which can be persisted in the db. I am currently working on a Hana System with SPS 7, so i have to use the old $.db api for accessing the db.
My current coding looks like this:
// Function for Creation of a Table in Schema witch specified Fields and Datatypes
function createTable(fields, schema, datatypes, tablename){ var table = tablename; var statement = "CREATE TYPE "+table+" AS TABLE("; // Specifiy Fields and Datatypes var index; for(index = 0; index < fields.length-1; index++){ var addcol = fields[index] +" "+datatypes[index]+","; statement = statement.concat(addcol); } var lastcol = fields[fields.length-1] +" "+datatypes[datatypes.length-1]+")"; statement = statement.concat(lastcol); try{ var conn = $.db.getConnection(); // Drop Table if it already exists if(tableExist(table)){ var deletetable = "DROP TYPE "+table; $.trace.debug(deletetable); var pstmt =conn.prepareStatement(deletetable); pstmt.executeQuery(); } // Create Table $.trace.debug(statement); var ppstmt =conn.prepareStatement(statement); ppstmt.executeQuery(); return "created"; // Catch Database Error }catch (e) { return e.toString(); } }If i execute the generated sql statement in the sql console it works like a charm, but in this case i always get DB Errors like 7, 257 for both DROP, CREATE TABLE (TABLE TYPE). My clue is that i raise a sql injection flaw here.
Is there any smart solution for something like this, because i am not trying to expose data to client but rather to process it myself . If there are possibilities with SQL Script please dont mind to mention them.
Kind Regards,
Lukas