× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Ah yes. SQL injection is a topic that can be discussed at length. :)


-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Charles Wilt
Sent: Friday, October 24, 2014 10:57 AM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Net.Data - extra blank rows and an SQLSTATE 22003

I understand that (now)...

Was more concerned with SQL injection...

The manual has the following example:
%FUNCTION(DTW_SQL) query1() {
select * from shopper where shlogid = ’$(shlogid)’
%}

The value of the shlogid variable is intended to be a shopper ID. Its purpose is to limit the rows returned by the SELECT statement to rows that contain information about the shopper identified by the shopper ID.
However, if the string “smith’ or shlogid<>’smith” is passed as the value of the variable shlogid, the query becomes:
select * from shopper where shlogid = ’smith’ or shlogid<>’smith’

This user-modified version of the original SQL SELECT statement returns the entire shopper table.

The Net.Data string functions can be used to verify that the SQL statement is not modified by the user in inappropriate ways. For example, the following logic can be used to ensure that single-quotes are not used to modify SQL statements:
@DTW_ADDQUOTE(shlogid, shlogid)
@query1()

The query then becomes:
select * from shopper where shlogid = ’smith’’ or shlogid<>’’smith’



On Fri, Oct 24, 2014 at 10:30 AM, Allen, Todd <Todd.Allen@xxxxxxxxxxxxxxxxx>
wrote:

Using @dtw_addquote will handle quotes within the string itself. For
example, if you are comparing to a name such as O'Leary. Without
@dtw_addquote the SQL select statement would fail due to the single
quote in the name.

You still need to enclose character field in quotes for the comparison
in the WHERE clause.

Thanks,
Todd


-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Charles
Wilt
Sent: Friday, October 24, 2014 10:21 AM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Net.Data - extra blank rows and an SQLSTATE
22003

Per the manual, I'm using @dtw_addquote()...

Is that enough?

Charles

On Thu, Oct 23, 2014 at 5:51 PM, Holger Scherer <hs@xxxxxxx> wrote:

Yes, please ;-)
If the data field is CHAR, use quotes.
And maybe you should have some casting routines to avoid trouble
when a user enters

'‘ OR 1=1

into your input field...

-h

Am 23.10.2014 um 23:40 schrieb Charles Wilt <charles.wilt@xxxxxxxxx>:



Do I always need to quote character values? Or is this some
funkyness
due
to the numeric value in a character column?


For More Than 80 Years—Delivering Solutions That Exceed Expectations.

This communication and any transmitted documents are intended to be confidential. If there is a problem with this transmission, please contact the sender. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.