tags:

views:

481

answers:

2
Q: 

SQL injection - no danger on stored procedure call (on iSeries)?

I've done some searching around but I have a specific question on SQL Injection and hope I can get some input as I believe I may be getting the wrong end of the stick to do with field data sanitising etc :-

I have a java program calling a stored procedure on an iSeries. The stored procedure has CL / RPG code behind the scenes. The stored procedure is called by way of parameters with the data coming from a web page. For example the call would look like the following:-

call library.prog('field1Value', 'field2Value')

Do I need to worry about any characters entered via the website into 'field1Value' etc or, because it is a stored procedure call, does the danger of sql injection not exist? Does it depend on whether the RPG program behind the scenes uses 'field1Value' in its own SQL statement as part of that processing?

The field lengths passed into the proecdure are fixed length so we cannot, for example, convert 'dodgy' characters into their html equivalent.

Appreciate any (I'm anticipating this might be a stupid question!) feedback (not necessarily iSeries specific) on this.

A: 

If you're using the JDBC CallableStatement, then you're safe. CallableStatement is just a subtype of PreparedStatement, and SQL injection attacks should not be possible. The only way I can think of for this not to be true would be if your stored procedure was executing dynamic SQL.

skaffman  2009-07-13 14:12:15
We are using CallableStatement...
oidsman  2009-07-13 14:17:40
A: 

unless you are using those parameters to construct dynamic sql in the proc itself you should be fine

also you cannot clean it by checking the parameters

see here: SQL teaser..try protecting this

below is sql server syntax

I can call a proc like this

prDropDeadFred ' declare @d varchar(100) select @d = reverse(''elbaTdaB,elbatecin elbat pord'') exec (@d)'

or like this

prDropDeadFred ' declare @d varchar(100) select @d = convert(varchar(100),0x64726F70207461626C65204E6963655461626C652C4261645461626C65) exec (@d)'

or 5000 other ways that you won't know about

SQLMenace  2009-07-13 14:14:47
If I find that the proc is constructing some dynamic SQL using one or more field values, I assume that the proc should take care of 'cleaning' the data to ensure no SQL injection is possible? Is there any guidance on how this should work?
oidsman  2009-07-13 14:25:11
you can't clean that, see link in answer
SQLMenace  2009-07-13 14:33:49

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests