1.  Home
  2. MIDRANGE-L
  3. November 2004

RE: security hole in interactive sql call statement?

Something you might want to check - the restrictions in STRQM are limited to creating & running QMQRYs to what the user is allowed, but only in the STRQM environment. This does not stop anyone from using STRQMQRY to run anything he/she or another person has created, and doing this outside of the STRQM environment. I mean, anyone can make a QMQRY with a couple substitution variables only

&A&B

and they can use the SETVAR of STRQMQRY to put in almost any SQL statement of up to 110 characters.

Also, I just put your call statement into a source member of, QQMQRYSRC and used CRTQMQRY. Even though I am limited to SELECT in STRQM on the time-share machine I've been using, this worked just fine.

So the so-called security control of STRQM is not what you want.

Vern

At 04:20 PM 11/16/2004, you wrote:
most programmers in our shop use STRSQL to do their query. We could have them use iSeries Access, but they would probably go with STRQM if STRSQL is not allowed.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Tom Jedrzejewicz
Sent: Tuesday, November 16, 2004 4:05 PM
To: Midrange Systems Technical Discussion
Subject: Re: security hole in interactive sql call statement?


On Tue, 16 Nov 2004 09:40:19 -0800, Tom Jedrzejewicz <tomjedrz@xxxxxxxxx> wrote:
> On Tue, 16 Nov 2004 10:49:57 -0600, Lim Hock-Chai
> <lim.hock-chai@xxxxxxxx> wrote:
> > we have. We might end up go with this route. Most programmer (me) doesn't really
> > like STRQM (asking all kind of questions before it exec the sql statement).
>
> That said - you could restrict STRSQL and force them to use the SQL
> execution through iSeries Access. I don't think the same security
> holw exists.

How about the Run Sql Script utility in iSeries Navigator.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.