SAP Knowledge Base Article - Public

3279955 - CSV Export and Excel Import

Symptom

Microsoft Excel interprets cells of CSV files. This could have two consequences:

  • Cells containing certain patterns (like “=2+3”) don´t show their pure content but display a calculation result (like “5”).
  • Malicious users could enter fields in ByDesign that intentionally show wrong results when exported to CSV.

Environment

SAP Business bydesign

Cause

The general recommendation is to adjust interpreted CSV cells, e.g. every leading “=” should be prefixed by an apostrophe (like “'=2+3”).

In ByDesign, CSV files are not only used for data display in Excel but also for general data export and import. At several places field values have direct impact of business (e.g.: the ID “=ABC” is different from the ID “'=ABC”). Tests have shown that such a modification leads to critical issues. In consequence, ByDesign cannot follow the recommendation; it leaves the data unchanged during export. (“=2+3” remains “=2+3”.)

Resolution

To avoid that issues interfere with other parts of the document or exploit known vulnerabilities:

  • Follow your company policy of keeping the software (Excel or other spreadsheet applications used) up to date.
  • Recommend users to be cautious while dealing with CSV files with macros, following general best practices.

Keywords

CSV, Injection, Export, Import, Excel , KBA , SRD-CC-MIG-DXT , BYD- Data Extraction Tool , Problem

Product

SAP Business ByDesign all versions