SAP NetWeaver AS ABAP Release 740, ©Copyright 2014 SAP AG. All rights reserved.
ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks →Cross-Client Database Access
Each client is a self-contained unit. The automatic client handling function ensures that application programs can only access the business data in the current client. If the automatic client handling function is bypassed using the addition CLIENT SPECIFIED in Open SQL or directly in Native SQL, this can result in non-local data being accessed in a way that presents a security risk.
Cross-client access to database tables is permitted only in system programs in the system client or in administration clients.
Note
See also the programming guidelines for client handling.
Example
The following program section permits a user to access customer data in any client. This should be avoided at all costs.
DATA client TYPE sy-mandt.
client = sy-mandt.
cl_demo_input=>request( CHANGING field = client ).
DATA customers TYPE TABLE OF scustom.
SELECT *
FROM scustom CLIENT SPECIFIED
INTO TABLE customers
WHERE mandt = client.
cl_demo_output=>display( customers ).