× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2011

RE: Using QCMDEXC in an SQL SELECT statement Was: Disabled User Profiles

Paul,

Do not rely upon "security by obscurity". Creating QCMDEXC as a function
is not a security breach. If you do not have access to DLTUSRPRF you
still cannot run it by using the User Defined Function (UDF) QCMDEXC. The
only thing that the function does is allow you to run it easier. We
created is as a function for the myriad of CL programs we had written that
basically did
DSP... OUTPUT(*OUTFILE) ...
DCLF ...
READ:
RCVF
MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))
/* Do something */
GOTO CMDLBL(READ)
EOF:
EXIT:
ENDPGM

Is the ability to write a CL program a security breach? Should that be
something that antivirus programs should stop? By default anyone can
write a CL program. You do not need the application tools on your system.
All systems have EDTF and CRTCLPGM. If you find the SQL UDF a security
breach because it can be used to run DLTUSRPRF then I suggest you stop
giving all your users *SECADM and *ALLOBJ. That's a step in the right
direction.

Is having the UDF a breach because it doesn't slow down the developer and
make him think? Then, by all means, let's put other impediments in his
path. Let's ban CL and force them to use MI. After all, did you see
anything in the CL sample above that did any comparison? What was to stop
this CL program from forgetting the "where" and deleting all user
profiles?


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.