MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » February 2014

Re: JDBCR4 question -- Checking the syntax of a query without crashing the JVM



fixed

On 2/25/2014 2:18 PM, James H. H. Lampert wrote:
My Fellow Midrange Geeks and Geekettes:

One of the features I've put into my project is the ability to
incorporate a user-specified WHERE clause into the generated WHERE
clauses of my queries, in order to filter the records accessed.

But if the user uses this feature to insert garbage into the WHERE
clause (e.g., "WHERE FOO = 'BAR'," with no FOO field in the file), it
results in a series of bad JDBC calls that crashes JDBC and the JVM,
requiring the user to sign off and sign back on.
Space offset X'00000000' or X'00008000300149F0' is outside current limit
for object <jobname> <user> <jobnum>.

I'd like to be able to catch the bad query before this happens. Is there
a way to do this?

Yes: Don't do that.

Seriously, this is called an SQL injection attack. Instead of allowing
the end user to put any free-form text into your WHERE clause, build a
front end where they select the columns and conditions and have your
code construct the WHERE clause.
--buck





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact