×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
Kurt,
Yes you could look for semi-colon, quotes, dashes, ect..
The idea is know as input sanitizing (filtering) or "driver-native escaping"...
However, doing it right is non-trivial. Which is why .NET, Java, PHP
include functions to do it for you. RPG doesn't have such functions.
Unless your name is Scott Klement, I'd think twice about rolling your
own. In addition, what's been identified as unsafe may change. Do
you plan on staying up to date so you can modify your function? What
are you going to do when you've answered the 100th helpdesk ticket
from a user wanting to know why they don't get any results when
searching for "Al's Roadhouse"?
Luckily, there's a better way. Use parametrized statements (aka bind
variables) in dynamic SQL
It's not just my opinion that parametrized statements are better,
that's the collective wisdom of every (non-i at least :) developer
knowledgeable about the problem.
http://bobby-tables.com/
http://en.wikipedia.org/wiki/SQL_injection
An interesting read:
http://www.unixwiz.net/techtips/sql-injection.html
Interesting presentation:
http://www.slideshare.net/billkarwin/sql-injection-myths-and-fallacies
HTH,
Charles
On Tue, Aug 2, 2011 at 12:12 PM, Kurt Anderson
<kurt.anderson@xxxxxxxxxxxxxx> wrote:
I never knew about SQL injection until this thread (am I living under a rock?), so this has been quite informative.
I did have a comment/suggestion: Could the programmer check the user-input field for a semi-colon, and if that value was present to treat it as invalid and not perform the SQL (controlled abend)?
-Kurt
midrange.com
