Re: Using host variable in embedded sql -- RPG400-L

On 26-Feb-2015 02:41 -0600, D*B wrote:

On 26-Feb-2015 00:59 -0600, Birgitta Hauser wrote:

I agree if the programmer / user can insert SELECT-Statements or
filter criteria on the fly, there is no way than using embedded
SQL. But again I only use it if no other way, the risk of SQL
injection may be huge.

... simply not true!!! DB2/400 is rather well prepared against
injection: you can't prepare a SQL String containing two SQL
statements.

The use of a statement separator for effecting SQL injection is often the least of worries for business data, because they are generally nefarious requests for which backups likely will enable a sufficient if also painful recovery. Amazing how often that form of attach is what is expressed as what anyone should be concerned about; downplaying that specific effect seems legitimate for the DB2 for i SQL, which indeed will not treat a dynamic string as a script. But the more likely and negative attacks against the business data, those possibly resulting in liability issues for the company entrusted with holding confidential data, would be SQL coding that had enabled an ability for an attacker to access data that should not be made available to them.

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.