× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I understand that (now)...

Was more concerned with SQL injection...

The manual has the following example:
%FUNCTION(DTW_SQL) query1() {
select * from shopper where shlogid = ’$(shlogid)’
%}

The value of the shlogid variable is intended to be a shopper ID. Its
purpose is to limit the rows returned by the SELECT statement to rows that
contain information about the shopper identified by the shopper ID.
However, if the string “smith’ or shlogid<>’smith” is passed as the value of
the variable shlogid, the query becomes:
select * from shopper where shlogid = ’smith’ or shlogid<>’smith’

This user-modified version of the original SQL SELECT statement returns the
entire shopper table.

The Net.Data string functions can be used to verify that the SQL statement
is not modified by the user in inappropriate ways. For example, the
following logic can be used to ensure that single-quotes are not used to
modify SQL statements:
@DTW_ADDQUOTE(shlogid, shlogid)
@query1()

The query then becomes:
select * from shopper where shlogid = ’smith’’ or shlogid<>’’smith’



On Fri, Oct 24, 2014 at 10:30 AM, Allen, Todd <Todd.Allen@xxxxxxxxxxxxxxxxx>
wrote:

Using @dtw_addquote will handle quotes within the string itself. For
example, if you are comparing to a name such as O'Leary. Without
@dtw_addquote the SQL select statement would fail due to the single quote
in the name.

You still need to enclose character field in quotes for the comparison in
the WHERE clause.

Thanks,
Todd


-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Charles
Wilt
Sent: Friday, October 24, 2014 10:21 AM
To: Web Enabling the IBM i (AS/400 and iSeries)
Subject: Re: [WEB400] Net.Data - extra blank rows and an SQLSTATE 22003

Per the manual, I'm using @dtw_addquote()...

Is that enough?

Charles

On Thu, Oct 23, 2014 at 5:51 PM, Holger Scherer <hs@xxxxxxx> wrote:

Yes, please ;-)
If the data field is CHAR, use quotes.
And maybe you should have some casting routines to avoid trouble when
a user enters

'‘ OR 1=1

into your input field...

-h

Am 23.10.2014 um 23:40 schrieb Charles Wilt <charles.wilt@xxxxxxxxx>:



Do I always need to quote character values? Or is this some
funkyness
due
to the numeric value in a character column?


For More Than 80 Years—Delivering Solutions That Exceed Expectations.

This communication and any transmitted documents are intended to be
confidential. If there is a problem with this transmission, please contact
the sender. If the reader of this message is not the intended recipient, or
the employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.