Re: Reduce large amount of logicals in SUBFL pgm, take in another direction -- RPG400-L

Kurt,

Yes, you could do that, but of course, if the semi-colon is part of the
(valid) data the user is entering (for instance, in a comments section, they
might want to use one), then there would be a problem!

In general, whilst you *can* parse and validate your own user-entered data,
it's much simpler (and *better*) to use parameters.

I think lots of IBM i developers aren't aware of the problem of SQL
injection - you're certainly not an outlier! As I pointed out on a previous
post, because of the relatively 'niche' environment in which we work, plus
the fact that the vast majority of development (including SQLRPG) is done in
a green-screen world, we've needed to be less aware of potential problems
like this. I'll even stick my head out and say that SQL injection is
unlikely to *ever* be a 'real' problem for most IBM i shops. But that
doesn't mean that you shouldn't code 'properly', which means using
parameters.

Rory

On Tue, Aug 2, 2011 at 9:12 AM, Kurt Anderson
<kurt.anderson@xxxxxxxxxxxxxx>wrote:

I never knew about SQL injection until this thread (am I living under a
rock?), so this has been quite informative.

I did have a comment/suggestion: Could the programmer check the user-input
field for a semi-colon, and if that value was present to treat it as invalid
and not perform the SQL (controlled abend)?

-Kurt

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.