Rule Definition
By exploiting a SQL injection vulnerability, an attacker can get access to business-critical information or system data. Moreover, a denial of service attack can be performed by executing a complicated SQL statement. For example, a perpetrator can pass a query, which will search for a certain pattern through all the records in the database (via a LIKE statement). This query will take a long time to run and, at the same time, will significantly increase the server load, thus blocking access to the application for legitimate users.

Remediation
Avoid Using all of these functions If it is not possible, filter user input via special methods QUOTE_STR and QUOTE of the CL_ABAP_DYN_PRG class. In ABAP, strings are usually enclosed with backticks (‘) and char arrays are usually enclosed in single quotation marks (‘). Use different methods of CL_ABAP_DYN_PRG depending on the type of enclosing symbol: use QUOTE_STR with backticks and QUOTE with single quotation marks.

Violation Code Sample

PARAMETERS STMT(65535) TYPE C.
CALL 'C_DB_EXECUTE'
    ID 'STATLEN' FIELD LN
    ID 'STATTXT' FIELD STMT
    ID 'SQLERR' FIELD SQL_CODE
    ID 'ERRTXT' FIELD SQL_MSG
    ID 'ROWNUM' FIELD ROW_NUM.

The field 'STATTXT' contains a SQL statement. The variable STMT is declared as a parameter and transmitted to this field. Therefore, an attacker can pass a specially crafted SQL statement to the variable STMT and reach the malicious goals by executing it.

---------------------------------------------------
PARAMETERS lv_stmt TYPE c LENGTH 80.
CALL 'C_DB_FUNCTION' ID 'FUNCTION' FIELD 'DB_SQL'
 ID 'FCODE' FIELD 'PO'
 ID 'STMT_STR' FIELD lv_stmt
 ...

The field 'STMT_STR' contains a SQL statement. The variable lv_stmtis declared as a parameter and transmitted to this field. Therefore, an attacker can pass a specially crafted SQL statement to the variable lv_stmt and reach the malicious goals by executing it.

https://dzone.com/articles/sap-sql-injections