× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. RPG400-L
  3. August 2011

Re: Reduce large amount of logicals in SUBFL pgm, take in another direction

Rory,

You're correct, in a 5250 RPG app it's unlikely for SQL injection to occur...

But as you say, it *could* happen and in my mind that makes the app
unsafe period. Is a Ford pinto safe or unsafe? After all, not all of
them exploded when rear ended...

Even more likely if you end up calling the routine from someplace
besides and interactive session, and that is the idea right?

As you point out, using parameters is simply good practice....better
to be in the habit of it regardless of what language or environment
you are working in. And again, as you say parameters aren't hard to
use; personally I think they are easier as you don't have to worry
about the quotes in the statement.

Charles

On Mon, Aug 1, 2011 at 4:17 PM, Rory Hewitt <rory.hewitt@xxxxxxxxx> wrote:
Charles,

Whilst I obviously understand the problem of SQL injection, it is
*much*less of a problem with RPG than with e.g. C-like languages, for
many of the
same reasons that buffer overflows don't really hit RPG - because we don't
use open-ended strings with variable lengths to anything like the same level
that those other languages do.

For instance, using your example, the user has to have defined
userEnteredValue as a string of a certain length. If it's e.g. 10
characters, it's *very* hard to do much damage. Obviously if it's a long
character string, it gets more likely that bad things can happen, but that's
rare, especially ina  select statement.

Another reason, of course, is that if the program is an RPG interactive
program, you can be pretty sure that it's not being accessed across the web.
With a C program (not an IBM i interactive C program, obviously, but who
writes those anyway?), there is always the risk that it can be called from
lots of different places other than those where it was designed to be called
from.

The reason I use parameters is simply because it's "good practice". Plus, I
won't get hassled on this forum :)

Look, I think Gary should use parameters instead of direct concatenation,
but that doesn't mean that his application is currently *actually* unsafe -
just that it *could* be, in ways that parameters would mitigate.

Rory


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.