On 2/25/2014 2:18 PM, James H. H. Lampert wrote:
My Fellow Midrange Geeks and Geekettes:
One of the features I've put into my project is the ability to
incorporate a user-specified WHERE clause into the generated WHERE
clauses of my queries, in order to filter the records accessed.
But if the user uses this feature to insert garbage into the WHERE
clause (e.g., "WHERE FOO = 'BAR'," with no FOO field in the file), it
results in a series of bad JDBC calls that crashes JDBC and the JVM,
requiring the user to sign off and sign back on.
Space offset X'00000000' or X'00008000300149F0' is outside current limit
for object <jobname> <user> <jobnum>.
I'd like to be able to catch the bad query before this happens. Is there
a way to do this?
Yes: Don't do that.
Seriously, this is called an SQL injection attack. Instead of allowing
the end user to put any free-form text into your WHERE clause, build a
front end where they select the columns and conditions and have your
code construct the WHERE clause.