Home > SAP Tips > ABAP/Java developer tips > Beware of misused ABAP queries!
SAP Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

ABAP/JAVA DEVELOPER TIPS

Beware of misused ABAP queries!


Peng Siong Lim
03.28.2002
Rating: -4.09- (out of 5) Hall of fame tip of the month winner


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Without proper authorization, a person with ABAP query coding access can still use CALL TRANSACTION to enter any transaction code provided the program call by the transaction code doesn't have the following statement: AUTHORITY-CHECK OBJECT ...

This is to alert you of how ABAP query can be misused for running unauthorized transaction code.



Code

For demonstration purposes, here is an example of how this can be done:

A. Create function area SQ02
1. Use Direct Read for a smallest size of table like T001, create functional group with only one field like T001-BUKRS, company code. This is only a dummy process in order to get a selection screen prompt when running query.
2. Goto>Code>Data, declare a line as below Parameter: TCODE(10).
3. Goto>Code>Start Of Selection, enter statement CALL TRANSACTION TCODE.
4. Save and generate.

B. Create query SQ01
1. During creating process, make sure selection field must have at least one field (company code in this example) in order to get the selection screen prompt. Whatever the field, it is not important. Then define basic list.
2. Save. Execute, key-in a company code and save variant with company code hidden (That's why this field is just dummy field).
3. key-in transaction code, for example ST05, you will be able to access this Tcode even ST05 is not authorized in your profile.

Rate this Tip
To rate tips, you must be a member of SearchSAP.com.
Register now to start rating these tips. Log in if you are already a member.


Submit a Tip




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
ABAP/Java developer tips
Select Text fields: Case-insensitive
Finding BADIs you can use
Is this the quickest way to find a BADI?
ABAP Objects in SAP Workflow to provide improved performance
Easily debug error messages in SAP processes
Accessing private attributes in ABAP Objects
Find a BADI in a minute
Top 10 SAP tips of 2007
How to transport an SAP query in R/3 4.6x
How to switch off message determination in BAPI_PO_CREATE1

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

HomeNewsTopicsBlogsTipsAsk the ExpertsMultimediaWhite PapersProducts
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2000 - 2008, TechTarget | Read our Privacy Policy
SearchSAP.com is a search service provided by TechTarget and is completely
independent of and not affiliated with SAP AG. 		  TechTarget - The IT Media ROI Experts