Re: Reduce large amount of logicals in SUBFL pgm, take in another direction -- RPG400-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

Subject: Re: Reduce large amount of logicals in SUBFL pgm, take in another direction
From: Gqcy <gmufasa01@xxxxxxxxx>
Date: Mon, 01 Aug 2011 13:33:54 -0500
List-archive: <http://archive.midrange.com/rpg400-l>
List-help: <mailto:rpg400-l-request@midrange.com?subject=help>
List-id: RPG programming on the IBM i / System i <rpg400-l.midrange.com>
List-post: <mailto:rpg400-l@midrange.com>
List-subscribe: <http://lists.midrange.com/mailman/listinfo/rpg400-l>, <mailto:rpg400-l-request@midrange.com?subject=subscribe>
List-unsubscribe: <http://lists.midrange.com/mailman/listinfo/rpg400-l>, <mailto:rpg400-l-request@midrange.com?subject=unsubscribe>

What if I ask the question another way:

are you "always" better off using a prepared statement?

I ask, because even though the programmer carefully created the SQL
via concatenation to protect against injection, the next maintenance programmer may not.

On 8/1/2011 9:54 AM, Charles Wilt wrote:

Anytime you have
wSqlStmt = 'SELECT<..> ' + userEnteredValue;

The technical answer is _YES_ it is vulnerable.

It may be difficult (and involve more work than the average hacker
would be willing to do), but it could be done...

This example:

For example, the panel the user sees might have:
_Location
_Department
_Class
Where they would enter 1, 2, and 3 to denote the sort sequence. This
scenario would not be susceptible to injection, would it?

in which case you'd have
if sortLoc = 1;
wSqlStmt += ' ORDER BY location ';
endif;

if sortDept = 1;
wSqlStmt += ' ORDER BY department ';
endif;
<...>

doesn't directly concatenate the user value to the statement and this
is not vulnerable.

As an Amazon Associate we earn from qualifying purchases.

Follow-Ups:

Re: Reduce large amount of logicals in SUBFL pgm, take in another direction , Charles Wilt

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.