×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
On 26-Feb-2015 02:41 -0600, D*B wrote:
On 26-Feb-2015 00:59 -0600, Birgitta Hauser wrote:
I agree if the programmer / user can insert SELECT-Statements or
filter criteria on the fly, there is no way than using embedded
SQL. But again I only use it if no other way, the risk of SQL
injection may be huge.
... simply not true!!! DB2/400 is rather well prepared against
injection: you can't prepare a SQL String containing two SQL
statements.
The use of a statement separator for effecting SQL injection is often
the least of worries for business data, because they are generally
nefarious requests for which backups likely will enable a sufficient if
also painful recovery. Amazing how often that form of attach is what is
expressed as what anyone should be concerned about; downplaying that
specific effect seems legitimate for the DB2 for i SQL, which indeed
will not treat a dynamic string as a script. But the more likely and
negative attacks against the business data, those possibly resulting in
liability issues for the company entrusted with holding confidential
data, would be SQL coding that had enabled an ability for an attacker to
access data that should not be made available to them.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
