ui.sql

Integration framework

Processing Atom Call SQL

Last Modified: August 26, 2014

Table of Contents

1 Parameters ............................................................................................................................. 2 1.1 Recommendations for Special Cases ................................................................................ 5 1.2. Filtering Invalid XML Characters from Database Fields .................................................... 5

2 Functions ................................................................................................................................ 6 3 Single Processing ................................................................................................................... 8 4 Blocked Processing in Compatibility Mode .............................................................................. 9 5 Blocked Processing in Batch Mode ......................................................................................... 9 6 Optimizing the SQL Call for Large SQL Statements ...............................................................12 7 Preventing SQL Injection .......................................................................................................13 Copyrights, Trademarks, and Disclaimers .................................................................................16

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 2

Call SQL In the process flow, use this atom to make SQL calls to a database system.

The functional atom Call SQL is of type simple call. You therefore do not need a predecessor transformation atom to prepare the data you send to the database system. However, if you need a predecessor transformation atom to calculate data to hand over as an inbound XML document to the system, add the transformation atom in front of the Call SQL atom. Use a predecessor atom to handle large SQL statements.

1 Parameters

Scenario Step Identifier This field is read-only and displays the name of the scenario step for which you develop the process flow. Atom Identifier This field is read-only and displays the name of the processing atom. The name is unique and the integration framework automatically generates is when creating the atom. The name follows

the convention atom where is a unique number. This name is important. It is the

identifier for subsequent atoms for accessing data of the atom using the XPath expression for

example /vpf:Msg/vpf:Body/vpf:Payload[./@id=atom2]/*.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 3

Description The integration framework automatically generates the description for the atom during atom creation. You can change the description. First and foremost it serves as a comment to describe the task that the atom executes. In the graphical flow, the integration framework displays this text as mouse over. You can also use the description to change the default label the integration framework displays on top of the atom. For introducing an individual label, add the new label in brackets at the end of your description. The integration framework displays the string this is my comment[my Label], for example as my Label on top of the atom. Note that your label can only have ten digits. SysId Select the system you want call using SQL.

A leading # indicates an explicit value, for example #0010000105 calls the system that has

SysID 0010000105 in the SLD. If you use an explicit SysId from SLD, make sure that later at runtime, the system is the same to ensure the same SysId. Using the explicit value (with leading

#), you can also use variables and properties.

For more information, click the button to open the documentation. You have the following options:

B1 system based on User You can only use this option for scenario steps triggered by HTTP or Web Services which run in a session and if the HTTP channel is associated to a B1 system using the SLD

parameter associatedSrvIP.

Sender System You make the SQL call to the B1 sender system that you have defined in your inbound definition as the sender system.

List of systems in your SLD If you must calculate the SysId at runtime, you do not use an explicit value. Enter the XPath expression instead. In the XPath expression, you can pick up a value from the payload generated for example by the predecessor transformation.

An example is /vpf:Msg/vpf:Body/vpf:Payload[./@id=atom2]/@sysid.

Stop processing if fails With this parameter you can control the behavior of the integration framework, if an exception occurs during the SQL call. The parameter is read-only. If you set the value to false, processing continues in case of an exception. This is the default setting. This gives you the possibility to introduce your own error handling in the following transformation atom(s). If you set the value to true, an exception forces the processing of your scenario step to fail. You can display the message in the message log error section with the complete call stack of the internal processing. The default error handling of the integration framework is to restart the scenario step after one minute. The integration framework also allows you to provide your own error handler as a scenario step inside your scenario package. You can define your own error handler in the integration framework, selecting ScenariosPackage Design [Definitions] Error Handling. A prerequisite for this is that you have a scenario step in your scenario

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 4

package that is of type queue inbound. In this individual error scenario step, you can define what you need. You can send an e-mail, a B1 alert, insert a message into a table, and so on. You can only use explicit values for this parameter. The parameter does not support XPath, variables and properties. Method Select the method how the integration framework identifies the SQL method. The following options are available:

Automatic detection by key word The integration framework detects the method by the first statement that you enter in the Default SQL Statement or in the HANA SQL Statement field.

Query statement If you want to send a query or queries in your SQL call, select Query statement. The

integration framework sets the Processing Mode to Single Processing and the Blocked

Processing Delimiter to a semicolon. You cannot change the settings.

Update statement If you want to make an update or updates in the database, select Update statement. The

integration framework sets the Processing Mode to Single Processing and the Blocked

Processing Delimiter to a semicolon. You cannot change the settings. Processing Mode Select the method how you want to submit the SQL statements to the database. You have the following options:

Single Processing Single processing allows you to submit SQL statements call by call to the database. The integration framework guaranties the order of SQL statements that it submits to the database.

Blocked Processing in compatibility mode This option is available to be compatible with older versions of the SQL Call atom. In older versions, you have the Blocked Processing checkbox available. If you select the checkbox, the system has the same behavior when choosing the Blocked Processing in compatibility mode option.

NOTE Do not use this mode for new developments.

Blocked Processing in batch mode With this option, you can group related SQL statements into a batch and submit them in one call to the database. This option reduces communication overhead and can have a positive impact on the overall performance.

Blocked Processing Delimiter Enter the delimiter you use to separate the SQL statements for batch processing. You cannot

use characters that define regular expressions such as .

Default SQL Statement To provide the SQL statement or statements, you have the following options:

Enter the SQL statement or statements for your SQL call directly.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 5

Enter an XPath statement that point to the call.

Enter the name of a transformation atom that contains the SQL statement or statements. This supports you in processing large SQL statements. For more information, see section 6 of this document

1.1 Recommendations for Special Cases

If values in an XPath statement contain a string that starts with ! (exclamation mark) and ends with _ (underscore), the integration platform (B1iP) interprets this as a variable and the SQL statement does not work. In such a case, do not enter the XPath statement but the

transformation atom identifier, where you provide the statement in the tag.

If a value in an SQL statement contains a (single quote), for example, 235, the SQL

statement does not interpret this correctly and only considers 23 and the SQL call fails.

Double the single quote to hand over the correct value: 235

If a database contains special characters in tables that are not Latin, but for example Hebrew, use the N character in the WHERE clause of an SQL statement to include the

special characters.

Example SELECT T2.E_MAIL as FromEmail FROM OUSR as T2 WHERE

T2.USER_CODE=N'$userid'

To avoid out of memory errors at integration framework runtime, the integration framework in general reduces SQL statements to 1000 characters in the return payload.

1.2. Filtering Invalid XML Characters from Database Fields

Invalid XML characters in database fields cause exceptions at integration framework runtime. To avoid such errors, prepare your SQL statement not in the user interface, but in an XSL transformation atom. In the XSL transformation atom, you can use the

filterInvalXMLChar=true attribute to filter invalid XML characters.

Procedure

1. Create an XSL Transformation atom in from of the Call SQL atom.

2. In the BizStore, in the XSL document, provide the attribute in the following way: select * from table

3. In the SQL call atom, in the Default SQL Statement field, enter #atom to

reference the XSL transformation atom.

is the number of the XSL transformation atom that contains the SQL statement.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 6

2 Functions

To open documentation, describing the concepts of variables and properties and how to use them in the context of the process development, click this button.

The integration framework provides context-based documentation. If documentation is available, the integration framework displays the documentation icon. The greyed out icon indicates still missing documentation. To open documentation, click the icon. [Save] To save the current parameter definitions of the processing atom, click the [Save] button. The integration framework stores all settings directly in the process flow definition document (vBIU.bfd). To open the document, click the icon on the start atom of your flow. [VarL] To add, change or delete local variables, click the button. Local variables are only relevant for the scenario step they are defined in. In the scenario step all atoms can use them. You can assign fixed literals or an XPath which runs against the incoming message at runtime before the system calls the process flow. In the process flow the value is fixed and you cannot change it. You can use local variables in your XSL coding or in the parameter definition for atoms. For

more information, click the button [VarG] To add, change or delete global variables, click the [VarG] button. Global variables are valid for all scenario steps of a scenario package. In the scenario steps all atoms can use them. You can assign fixed literals or an XPath which run against the incoming message at runtime before the system calls the process flow. Inside the process flow the value is fixed and you cannot change it. You can use the global variables in your XSL coding or in the parameter definition for atoms.

For more information, click the button [HANA] If you want to make the call to a SAP HANA database, click the [HANA] button. HANA SQL Statement Enter the SQL statement or statements for the SAP HANA database. Note that if a HANA SQL statement contains the table field name, and the table field name contains lower case characters, enclose the table field name in double quotation marks. Example:

Default SQL Statement: SELECT ItemName FROM OITM WHERE ItemCode=A0001

HANA SQL Statement: SELECT ItemName FROM OITM WHERE ItemCode=A0001

If a database contains special characters in its tables that are not Latin, but for example

Hebrew, use the N character in the WHERE clause of an SQL statement to include the special

characters.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 7

Example SELECT T2.E_MAIL as FromEmail FROM OUSR as T2 WHERE

T2.USER_CODE=N'$userid'

For more information about SAP HANA, in the internet select http://help.sap.com/hana.

[Close] To close the user interface of the atom, click the [Close] button.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 8

3 Single Processing

If you select the Single Processing mode, the integration framework separately submits each SQL statement you have entered in a transaction to the JDBC adapter, which hands them over call by call to the database. In this case the integration framework guarantees that it hands over the SQL statements and submits them to the database in the same order as you have entered them. You find each call in a separate payload. Example SQL statements: #select * from tbl1 where [key]='1';select * from tblA;select * from

tblB;update tbl1 set F1='X' where [key]='1';update tbl set F1='Y'

where [key]='2'

The fifth statement leads to an error.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 9

208

Invalid object name 'tbl'.

S0002

The single processing mode is identical with the previous Call SQL atom versions where you have not selected the Blocked Processing checkbox.

4 Blocked Processing in Compatibility Mode

In previous versions of the SQL Call atom, you have the possibility to select the Blocked Processing checkbox. Blocked Processing in compatibility mode provides the same system behavior. If you define SQL statements containing only select, only update or only delete statements, this option hands over the statements to the database that processes them in batch mode. However if you define different statement types, for example select and update statements for the batch, this does not work. Additionally, the error handling of the integration framework gives you wrong or incomplete information about processing. If the database correctly executes the first SQL statement, but cannot process the following statements, the integration framework always provides information, that the processing of all SQL statements has been correct.

NOTE SAP recommends that you no longer use this mode for new developments.

5 Blocked Processing in Batch Mode

The Blocked Processing in Batch Mode makes use of the batch mode that databases provide. Define the delimiter separating the SQL statements in the Blocked Processing Delimiter field. The JDBC adapter that handles the SQL call in the integration framework separates all SQL statements that you enter, writes them to an array, and sends the array to the batch processing of the database. The batch processing of the database analyses the array and possibly changes the processing order of SQL statements for internal optimization. Therefore the integration framework cannot guarantee the in order processing of SQL statements. Note that Blocked Processing in Batch Mode always comprises one transaction. If any SQL statement in the batch fails, the transaction completely rolls back.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 10

There are databases that cannot handle read and write operations in one batch. The integration framework provides the following to overcome this:

If the integration framework finds at least one select statement in the SQL statements you

enter, the integration framework internally switches to single processing mode and hands over the SQL statements one by one to the database. But even then the processing comprises one transaction. In this case, the integration framework guarantees the in order processing of SQL statements. The result is part of one payload. Example for Successful Processing SQL statements: #select * from tbl1 where [key]='1';select * from tblA;select * from

tblB;update tbl1 set F1='X' where [key]='1';update tbl 1set F1='Y'

where [key]='2'

Result:

...

...

...

...

...

1

1

Example for an Exception SQL statements: #select * from tbl1 where [key]='1';select * from tblA;select * from

tblB;update tbl1 set F1='X' where [key]='1';update tbl set F1='Y'

where [key]='2'

Result:

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 11

The integration framework does not process any of the SQL statements. It raises an error and hands over error handling. The error message displays the sql error: com.sap.b1i.bizprocessor.BizProcException: BPE001 Nested exception:

com.sap.b1i.xcellerator.XcelleratorException: XCE001 Nested exception:

com.sap.b1i.xcellerator.XcelleratorException: XCE001 Nested exception:

com.sap.b1i.xcellerator.XcelleratorException: XCE001 Nested exception:

com.microsoft.sqlserver.jdbc.SQLServerException: Invalid object name

'tbl'.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 12

6 Optimizing the SQL Call for Large SQL Statements

In the Default SQL Statement field, you directly enter your SQL statement or statements, or you enter an XPath that points to the SQL statement. Alternatively, you can enter the name of a transformation atom containing the SQL call information in the Default SQL Statement field.

Enter the information in the following way: #atom. Enter, for example, #atom2

NOTE This proceeding especially makes sense, if you handle large SQL statements that can cause memory problems at runtime, for example, a stack overflow.

In the transformation atom, provide an tag and place your SQL statement or statements

inside the tag.

You can use the following attributes in the tag:

removeinbound In the removeinbound attribute, provide the transformation atom name that contains the

SQL statement or statements definition. At runtime, the integration framework removes the SQL statement from the payload tag of the predecessor transformation atom. Instead, it

includes the following information: removed by sqlcall

occ In the occ (occurrence) attribute, provide how many semicolons you use in your SQL

statements definition. If you have, for example, one SQL statement, occ=0.

This way, the integration framework does not have need to calculate the number of SQL statements at runtime. This improves the performance.

result Using this attribute does not improve the performance. Use it, if database fields contain invalid characters according to the XML specification. It is the default that the integration framework uses database table field names as tags to create the result structure of the SQL call. If the field names contain invalid characters according to the XML specification, such as

#, for example, this leads to an error at runtime. Use the result attribute to avoid such a

situation. Example for default processing

01

This is a text

02

This is also a text

.

.

.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 13

Set result=Field

01

This is a text

02

This is also a text

.

.

.

7 Preventing SQL Injection

SQL injection is a technique that exploits a potential security vulnerability occurring in the scenario layer of your integration scenario. Whereas the integration framework takes care in all cases when the framework generates SQL statements, you have to explicitly prevent SQL injection in case you generate an SQL statement based on incoming data. If you use the B1i SQL option, you can ignore this section. You generate the SQL statement during the processing flow using a transformation atom. Inside you render the SQL statement by fixed text and values, picked up by XPath statements from the processed integration framework message. As one part of the integration framework message is the inbound message handed over by an external caller, an intruder can use this channel to handover injected data instead of a normal value. To discuss this topic, we need to differentiate between a string value and a numeric value. Let us take a look at the following example: Expected Use Case A Correct User is Calling

mystring 4711

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 14

select field1 from TBL1 where strgkey ='' select field2 from TBL2 where numkey =

select field1 from TBL1 where key ='mystring' select field2 from TBL2 where key =4711

Intrusion Use Case An Intruder is Calling with the Intention to Destroy the ERP System

X;drop table USERS-- 5;drop table ITEMS select field1 from TBL1 where strgkey ='' select field2 from TBL2 where numkey =

select field1 from TBL1 where key =' X;drop table USERS--' select field2 from TBL2 where key =5;drop table ITEMS

Intrusion Use Case An Intruder Succeeds

X;drop table TAB3-- 5;drop table TAB4

select field1 from TBL1 where strgkey ='' select field2 from TBL2 where numkey =

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 15

select field1 from TBL1 where key =' X;drop table TAB3--' select field2 from TBL2 where key =NaN

To prevent intrusion from outside, the integration framework provides you with two functions to wrap the variable, or value before inserting it into the SQL string. The function utils2:handleSQLString(string()) duplicates the character. This

guarantees that the system does not process the drop statement but inserts it as string value into the database field. An additional positive effect is that this allows you to handle normal strings containing a character. The function utils2:handleSQLNumber(string()) type-casts the incoming value explicitly

to a number. In case of an intrusion the result is a NaN which leads to an SQL syntax error.

CAUTION We strongly recommend using the above functions. We strongly recommend replacing only values by outside data. Do never design the scenario to accept complete SQL statements or parts of SQL statements from outside. You cannot control such a situation.

Public 2014 SAP SE or an SAP affiliate company. All rights reserved 16

Copyrights, Trademarks, and Disclaimers

Copyright 2014 SAP SE. All rights reserved. The current version of the copyrights, trademarks, and disclaimers at http://service.sap.com/smb/sbocustomer/documentation is valid for this document.