|
Thank you Walden - interesting and important advice to be followed! -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich Sent: Monday, February 12, 2007 3:23 PM To: Midrange Systems Technical Discussion Subject: RE: .NET Data question
The apostrophe (I believe) is bombing out the SQL statement.
Don, allow me to introduce you to one of Walden's Rules, "If you have an apostrophe problem, you have a MAJOR security problem!" That problem is called a SQL Injection Attack. Look at why you're having the problem. Somewhere you're passing a string to the database that the database is interpreting, and since it's got a apostrophe DB2 thinks it's then end of the string. From Craig's example we could use INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES ('O'Brien', 'Patrick') as the potential string. Now, this is probably the result of building a string in your application and substituting in the variables, yes? And these values come from a web page, yes? OK, what happens if I, the web user, enters this as first and last name: LastName: xxx FirstName: Bob');delete from item; Now, you go and substitute that information and you send this string to the database: INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES ('xxx', 'Bob');delete from item; What do you think happens? Put it this way... Hope you have a good backup of the item table. I don't know net.data, but I'm sure it's got some form of support for parameter markers. You must use them and not construct a string like this unless you want to open yourself for some nasty surprises. -Walden -- Walden H Leverich III Tech Software (516) 627-3800 x3051 WaldenL@xxxxxxxxxxxxxxx http://www.TechSoftInc.com Quiquid latine dictum sit altum viditur. (Whatever is said in Latin seems profound.) -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani Sent: Monday, February 12, 2007 1:38 PM To: Midrange Systems Technical Discussion Subject: RE: .NET Data question Hi Doug: I have a comment field, and when the users key in something like: I'll get back to you. - The apostrophe (I believe) is bombing out the SQL statement. There must be an easy solution for that?? Thanks, Don C. -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Hart, Doug Sent: Tuesday, January 30, 2007 3:26 PM To: Midrange Systems Technical Discussion Subject: RE: .NET Data question The very best Net.Data support can be found here. http://dtwdude.com/ -- Doug Hart - Sr. iSeries Consultant ITT Corporation - Enterprise Infrastructure (EI) Seneca Falls, New York - DataCenter Voice: 315-568-7568 Doug.Hart@xxxxxxx -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mark Allen Sent: Monday, January 29, 2007 8:24 AM To: Midrange Systems Technical Discussion Subject: .NET Data question have a kinda vendor developed/kinda in house klidged (not by me) site using NET data and intermittently getting the following, before I call the vendor and/or get on our in house people does the error msg below give me any idea as to what (it very well could be a data issue). NET.DATA Error: Function call to DTW_FORMAT failed. Error Number is 4001. -- http://unsystematic-diversity.blogspot.com/ -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l. ************************************ This e-mail and any files transmitted with it are proprietary and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT, Inc. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. ************************************ -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l. -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.