1. João Jerónimo Barata de Oliveira
  2. PowerBuilder
  3. Thursday, 22 March 2018 11:02 AM UTC

Hello,

I have a PB Classic app that has some SQL injection problems. They are caused by some DESCRIBE statements, which as far as I know are related to duplicate detection in lists.

Anyway, the app was not developed by me and it builds a SQL SELECT query by text concatenation that is then used in a DESCRIBE statement, like this:
ls_sqlsyntax = "SELECT " + ls_fields + " FROM " + ls_table + " WHERE " + ls_where
PREPARE SQLSA FROM :ls_sqlsyntax USING SQLCA;
DESCRIBE SQLSA INTO SQLDA;
Whereas ls_where means:
ls_where = "(" + ls_dbname + " = '" + ls_valor + "')"

And ls_valor is a unscaped string that can contain a single-quote character (').
Is there an API function I can call to apropriately encode this type of characters?

Something like this exists in other programming environments, for example "mysql_real_escape_string" in PHP.

Thanks,
João Jerónimo

Michael Kramer Accepted Answer Pending Moderation
  1. Thursday, 22 March 2018 19:30 PM UTC
  2. PowerBuilder
  3. # 1

Hi João,

You need to "escape" the single quotes within the ls_valor string with an extra quote (unless Informix deviates from ANSI SQL). EX:

'This isn''t hard when you know the trick'    =>    is actually    =>    This isn't hard when you know the trick

It is a fairly straightforward search-and-replace of all occurrences within the string. 

In PFCm, the string service has an of_GlobalReplace function performing search repeated replace.

 

HTH /Michael

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.
We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.