Yes, it was with STRSQL.

But, all dymamic SQL I build (well, 99.99999%) always has something else in
it such as ORDER BY, select for XX rows, etc.

In talking worst case scenario, yes, I could see this being a problem. But
I am betting the ; won't work with dynamic SQL in RPG either. Just a hunch,
though.

Bradley V. Stone
BVSTools - www.bvstools.com
eRPG SDK - www.erpgsdk.com

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]On
Behalf Of Walden H. Leverich
Sent: Friday, May 30, 2008 3:05 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] SQL Injection???


Token ; was not valid. Valid tokens: <END-OF-STATEMENT>.

Hmmm... was that on STRSQL? I wonder if STRSQL is trying to be "smart".
The DB2 statement separator is indeed a ';' I don't have the time, but
what would happen in a program w/a prepare/execute?

-Walden

--
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)


-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Bradley V. Stone
Sent: Friday, May 30, 2008 2:49 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] SQL Injection???

But....

If you get back ID = "7;delete from customer" in your webpage and you
blindly concatenate that you'll get "select fld1, fld2 from file where
id = 7;delete from customer" and you'll send that off to the sql
engine
to be interpreted and you'll get... a mess.

-Walden


Token ; was not valid. Valid tokens: <END-OF-STATEMENT>.

That's what I got.

Brad
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.