RE: security hole in interactive sql call statement? -- MIDRANGE-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

John,

I see you your point.  I was probably trying to be to simplistic.

Charles Wilt
iSeries Systems Administrator / Developer
Mitsubishi Electric Automotive America
ph: 513-573-4343
fax: 513-398-1121
 

> -----Original Message-----
> From: John Earl [mailto:john.earl@xxxxxxxxxxxxx]
> Sent: Tuesday, November 16, 2004 5:44 PM
> To: Midrange Systems Technical Discussion
> Subject: RE: security hole in interactive sql call statement?
> 
> 
> > Consider STRSQL as the RDBMS equivalent to the command
> > line.
> > 
> > Thus, if you don't allow the programmers access to the
> > command line you
> > probably shouldn't be allowing access to STRSQL either.
> 
> I think I want to disagree with that thought Charles - In the example
> presented the database was secure against programmer access (so STRSQL
> was no additional threat), it's just that other portions of 
> the OS were
> not secured well enough to prevent identity theft of the production
> owning User Profile.  That may be a common security exposure but it's
> not one that you can lay at the feet of the STRSQL statement, or even
> the RDBMS.
> 
> JMHO,
> 
> jte  
>

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.