×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
An injection attack occurs when you embed additional SQL commands into an external SQL statement. Taking Charles' example, if you have:
wSQL = 'select * from XYZ where fld2 = ' + QUOTE + inFld2Value + QUOTE;
An injection attack could occur by adding additional commands within the inFld2Value parameter. So if inFld2Value had a value of "a';DROP TABLE users; select * from users where t='", it would have the potential to not find anything in the first statement and then attempt to drop a table named users and then attempt to query the users table.
/b;
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of David FOXWELL
Sent: Tuesday, October 20, 2009 8:49 AM
To: RPG programming on the IBM i / System i
Subject: RE: SQL Problem
-----Message d'origine-----
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] De la part de Charles Wilt
Note however, if you have something like so
wSQL = 'select * from XYZ where fld2 = ' + QUOTE +
inFld2Value + QUOTE;
you are opening yourself up to SQL injection attacks.
Instead, you should use parametrized statements:
wSQL = 'select * from XYZ where fld2 = ?';
/exec SQL prepare C1 from :wSQL;
/exec SQL open C1 using :inFld2Value;
Charles,
Can you illustrate what you mean by an injection attack?
Thanks.
--
This is the RPG programming on the IBM i / System i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/rpg400-l.
midrange.com
