× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. August 2011

Re: Reduce large amount of logicals in SUBFL pgm, take in another direction

Kurt,

Yes, you could do that, but of course, if the semi-colon is part of the
(valid) data the user is entering (for instance, in a comments section, they
might want to use one), then there would be a problem!

In general, whilst you *can* parse and validate your own user-entered data,
it's much simpler (and *better*) to use parameters.

I think lots of IBM i developers aren't aware of the problem of SQL
injection - you're certainly not an outlier! As I pointed out on a previous
post, because of the relatively 'niche' environment in which we work, plus
the fact that the vast majority of development (including SQLRPG) is done in
a green-screen world, we've needed to be less aware of potential problems
like this. I'll even stick my head out and say that SQL injection is
unlikely to *ever* be a 'real' problem for most IBM i shops. But that
doesn't mean that you shouldn't code 'properly', which means using
parameters.

Rory

On Tue, Aug 2, 2011 at 9:12 AM, Kurt Anderson
<kurt.anderson@xxxxxxxxxxxxxx>wrote:

I never knew about SQL injection until this thread (am I living under a
rock?), so this has been quite informative.

I did have a comment/suggestion: Could the programmer check the user-input
field for a semi-colon, and if that value was present to treat it as invalid
and not perform the SQL (controlled abend)?

-Kurt


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.