I was auditing some ABL code and was curious if there was an equivalent to SQL injection within ABL? Or, are all queries essentially handled like a parameterized query in other languages?
Thanks,
Since ABL queries are handled separately from data manipulation statements (ASSIGN, UPDATE, CREATE, DELETE, ...) I can hardly see how something similar to SQL Injections (from browser urls or similar) should be possible within ABL queries.
With static queries, all variables are handled as parameters and with dynamic queries the query-expression is just used for data selection and not manipulation.
I hope I'm not wrong - but I also don't want to give you a guarantee...
But don't forget the fact that an ABL source code or R-Code might be replaced by a different file (at runtime). When the application is running on a system with a compiler license installed this get's even easier. But since the compiler is only able to compile files from disk (not from memory) this requires write access to the file system of the system where the app is installed. Compile time security defined in the database meta schema helps preventing this as well.