SQL Server administration and T-SQL development, Web Programming with ASP.NET, HTML5 and Javascript, Windows Phone 8 app development, SAP Smartforms and ABAP Programming, Windows 7, Visual Studio and MS Office software SAP ABAP Programming and HANA Database Tutorials
Development resources, articles, tutorials, code samples and tools and downloads for ASP.Net, SQL Server, R Script, Windows, Windows Phone, AWS, SAP HANA and ABAP, like SAP UI5, Screen Personas, etc.




Install SAP Free


ABAP CVA Checks: Write on sensitive database tables


A regular ATC check showed me an ABAP CVA (Code Vulnerability Analysis) finding Write on sensitive database tables where the mentioned sensitive SAP database table is USR05 User Master Parameter table. In the ABAP code I was modifying the SAP table record using OpenSQL UPDATE command or adding a new row into the USR05 table using OpenSQL INSERT command.

Here is the details of the ATC (ABAP Test Cockpit) finding complaining about USR05 table (User Master Parameter ID) update or writing a new record to this sensitive database table.

Security Checks for ABAP (CVA)
Write on sensitive database tables
Write access (INSERT) to database table USR05

ATC Check: Write on sensitive database tables USR05

The ABAP code block where I update existing data or insert a new user parameter to the SAP database table USR05 is as follows:

DATA lv_param TYPE FLAG VALUE 'X'.
UPDATE usr05 " User Master Parameter
 SET parva = p_nohint
 WHERE bname = sy-uname
  AND parid = 'Z_USR_PARAM01'.
IF sy-subrc = 4.
 lwa_usr05-bname = sy-uname.
 lwa_usr05-parid = 'Z_USR_PARAM01'.
 lwa_usr05-parva = p_nohint.
 INSERT INTO usr05 VALUES lwa_usr05.
ENDIF.

It is better to modify such sensitive database tables using an approptiate function module or ABAP class instead of directly executing OpenSQL Update or Insert commands in ABAP codes.

I found the solution for using an ABAP function module for updating user parameters SAP table USR05 at tutorial Set User Parameter in SAP using ABAP Function Module

data lv_value type xuvalue.
lv_value = p_nohint.
call function 'CACS_SET_USER_PARAMETER'
 exporting
  i_uname = sy-uname
  i_parid = 'Z_USR_PARAM01'
  i_value = i_value
* EXCEPTIONS
* WRITE_ERROR = 1
* OTHERS = 2
.

Above code is showing how I converted previous CVA problematic ABAP code block into a better version at least according to the ABAP CVA (Code Vulnerability Analysis) checking tool.






SAP Tutorials

SAP Tutorial

SAP Forums

SAP Tools

SAP Transaction Codes Table


Meetup Sunumu 1






Copyright © 2004 - 2019 Eralper YILMAZ. All rights reserved.
Community Server by Telligent Systems