Re: JDBCR4 question -- Checking the syntax of a query without crashing the JVM -- MIDRANGE-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

On 2/25/2014 2:18 PM, James H. H. Lampert wrote:

My Fellow Midrange Geeks and Geekettes:

One of the features I've put into my project is the ability to
incorporate a user-specified WHERE clause into the generated WHERE
clauses of my queries, in order to filter the records accessed.

But if the user uses this feature to insert garbage into the WHERE
clause (e.g., "WHERE FOO = 'BAR'," with no FOO field in the file), it
results in a series of bad JDBC calls that crashes JDBC and the JVM,
requiring the user to sign off and sign back on.

Space offset X'00000000' or X'00008000300149F0' is outside current limit
for object <jobname> <user> <jobnum>.

I'd like to be able to catch the bad query before this happens. Is there
a way to do this?

Yes: Don't do that.

Seriously, this is called an SQL injection attack. Instead of allowing
the end user to put any free-form text into your WHERE clause, build a
front end where they select the columns and conditions and have your
code construct the WHERE clause.
--buck

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.