|
The apostrophe (I believe) is bombing out the SQL statement.
midrange.com
Don, allow me to introduce you to one of Walden's Rules, "If you have an
apostrophe problem, you have a MAJOR security problem!" That problem is
called a SQL Injection Attack.
Look at why you're having the problem. Somewhere you're passing a string
to the database that the database is interpreting, and since it's got a
apostrophe DB2 thinks it's then end of the string. From Craig's example
we could use INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES
('O'Brien', 'Patrick') as the potential string. Now, this is probably
the result of building a string in your application and substituting in
the variables, yes? And these values come from a web page, yes? OK, what
happens if I, the web user, enters this as first and last name:
LastName: xxx
FirstName: Bob');delete from item;
Now, you go and substitute that information and you send this string to
the database:
INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES ('xxx', 'Bob');delete
from item;
What do you think happens? Put it this way... Hope you have a good
backup of the item table.
I don't know net.data, but I'm sure it's got some form of support for
parameter markers. You must use them and not construct a string like
this unless you want to open yourself for some nasty surprises.
-Walden
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
