|
Thank you Walden - interesting and important advice to be followed! -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich Sent: Monday, February 12, 2007 3:23 PM To: Midrange Systems Technical Discussion Subject: RE: .NET Data question
The apostrophe (I believe) is bombing out the SQL statement.
midrange.com
Don, allow me to introduce you to one of Walden's Rules, "If you have an
apostrophe problem, you have a MAJOR security problem!" That problem is
called a SQL Injection Attack.
Look at why you're having the problem. Somewhere you're passing a string
to the database that the database is interpreting, and since it's got a
apostrophe DB2 thinks it's then end of the string. From Craig's example
we could use INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES
('O'Brien', 'Patrick') as the potential string. Now, this is probably
the result of building a string in your application and substituting in
the variables, yes? And these values come from a web page, yes? OK, what
happens if I, the web user, enters this as first and last name:
LastName: xxx
FirstName: Bob');delete from item;
Now, you go and substitute that information and you send this string to
the database:
INSERT INTO USER1.CUSTABLE (LNAME, FNAME) VALUES ('xxx', 'Bob');delete
from item;
What do you think happens? Put it this way... Hope you have a good
backup of the item table.
I don't know net.data, but I'm sure it's got some form of support for
parameter markers. You must use them and not construct a string like
this unless you want to open yourself for some nasty surprises.
-Walden
--
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com
Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Don Cavaiani
Sent: Monday, February 12, 2007 1:38 PM
To: Midrange Systems Technical Discussion
Subject: RE: .NET Data question
Hi Doug:
I have a comment field, and when the users key in something like: I'll
get back to you. - The apostrophe (I believe) is bombing out the SQL
statement. There must be an easy solution for that??
Thanks,
Don C.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Hart, Doug
Sent: Tuesday, January 30, 2007 3:26 PM
To: Midrange Systems Technical Discussion
Subject: RE: .NET Data question
The very best Net.Data support can be found here.
http://dtwdude.com/
--
Doug Hart - Sr. iSeries Consultant
ITT Corporation - Enterprise Infrastructure (EI) Seneca Falls, New
York - DataCenter
Voice: 315-568-7568 Doug.Hart@xxxxxxx
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mark Allen
Sent: Monday, January 29, 2007 8:24 AM
To: Midrange Systems Technical Discussion
Subject: .NET Data question
have a kinda vendor developed/kinda in house klidged (not by me) site
using NET data and intermittently getting the following, before I call
the vendor and/or get on our in house people does the error msg below
give me any idea as to what (it very well could be a data issue).
NET.DATA Error: Function call to DTW_FORMAT failed. Error Number is
4001.
--
http://unsystematic-diversity.blogspot.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
************************************
This e-mail and any files transmitted with it are proprietary and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the
sender. Please note that any views or opinions presented in this e-mail
are solely those of the author and do not necessarily represent those of
ITT, Inc. The recipient should check this e-mail and any attachments for
the presence of viruses. ITT accepts no liability for any damage caused
by any virus transmitted by this e-mail.
************************************
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
