Tweet
Joe,
I'm afraid you deserve 50 lashes with a wet noodle. How could you write an article about dynamic SQL without mentioning SQL injection?
Using dynamic SQL as you've shown in your example would cause the code to fail a PCI DSS audit.
(section 6.5.2 Injection flaws, particularly SQL injection ) https://www.pcisecuritystandards.org..._download.html
SQL injection is one venerability that could effect even 5250 applications.
The solution, is simple. If you need dynamic SQL (for example the table accessed may change perhaps depending on the current user), then you need to use parameter markers when dealing with variables passed in by the user. While you could try to code checks to prevent SQL injection, it's a heck of a lot easier and safer to simply use parameter markers.
So as an IT professional, you'd better learn to love parameter markers.
Charles Wilt
I'm afraid you deserve 50 lashes with a wet noodle. How could you write an article about dynamic SQL without mentioning SQL injection?
Using dynamic SQL as you've shown in your example would cause the code to fail a PCI DSS audit.
(section 6.5.2 Injection flaws, particularly SQL injection ) https://www.pcisecuritystandards.org..._download.html
SQL injection is one venerability that could effect even 5250 applications.
The solution, is simple. If you need dynamic SQL (for example the table accessed may change perhaps depending on the current user), then you need to use parameter markers when dealing with variables passed in by the user. While you could try to code checks to prevent SQL injection, it's a heck of a lot easier and safer to simply use parameter markers.
So as an IT professional, you'd better learn to love parameter markers.
Charles Wilt