1. João Jerónimo Barata de Oliveira
  2. PowerBuilder
  3. Thursday, 22 March 2018

Hello,

I have a PB Classic app that has some SQL injection problems. They are caused by some DESCRIBE statements, which as far as I know are related to duplicate detection in lists.

Anyway, the app was not developed by me and it builds a SQL SELECT query by text concatenation that is then used in a DESCRIBE statement, like this:
ls_sqlsyntax = "SELECT " + ls_fields + " FROM " + ls_table + " WHERE " + ls_where
PREPARE SQLSA FROM :ls_sqlsyntax USING SQLCA;
DESCRIBE SQLSA INTO SQLDA;
Whereas ls_where means:
ls_where = "(" + ls_dbname + " = '" + ls_valor + "')"

And ls_valor is a unscaped string that can contain a single-quote character (').
Is there an API function I can call to apropriately encode this type of characters?

Something like this exists in other programming environments, for example "mysql_real_escape_string" in PHP.

Thanks,
João Jerónimo

Michael Kramer Accepted Answer Pending Moderation
0
Votes
Undo

Hi João,

You need to "escape" the single quotes within the ls_valor string with an extra quote (unless Informix deviates from ANSI SQL). EX:

'This isn''t hard when you know the trick'    =>    is actually    =>    This isn't hard when you know the trick

It is a fairly straightforward search-and-replace of all occurrences within the string. 

In PFCm, the string service has an of_GlobalReplace function performing search repeated replace.

 

HTH /Michael

Comment
There are no comments made yet.
  1. Thursday, 22 March 2018
  2. PowerBuilder
  3. # 1
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.