SQL injection when interfacing PowerBuilder Classic code with an Informix database

View Replies (1)

Resolved SQL injection when interfacing PowerBuilder Classic code with an Informix database

Issue

0

Votes

Undo

João Jerónimo Barata de Oliveira
PowerBuilder
Thursday, 22 March 2018 11:02 AM UTC

Hello,

I have a PB Classic app that has some SQL injection problems. They are caused by some DESCRIBE statements, which as far as I know are related to duplicate detection in lists.

Anyway, the app was not developed by me and it builds a SQL SELECT query by text concatenation that is then used in a DESCRIBE statement, like this:
ls_sqlsyntax = "SELECT " + ls_fields + " FROM " + ls_table + " WHERE " + ls_where
PREPARE SQLSA FROM :ls_sqlsyntax USING SQLCA;
DESCRIBE SQLSA INTO SQLDA;
Whereas ls_where means:
ls_where = "(" + ls_dbname + " = '" + ls_valor + "')"

And ls_valor is a unscaped string that can contain a single-quote character (').
Is there an API function I can call to apropriately encode this type of characters?

Something like this exists in other programming environments, for example "mysql_real_escape_string" in PHP.

Thanks,
João Jerónimo

Class

Responses (1)

Michael Kramer Accepted Answer Pending Moderation

Thursday, 22 March 2018 19:30 PM UTC
PowerBuilder
# 1

Hi João,

You need to "escape" the single quotes within the ls_valor string with an extra quote (unless Informix deviates from ANSI SQL). EX:

'This isn''t hard when you know the trick' => is actually => This isn't hard when you know the trick

It is a fairly straightforward search-and-replace of all occurrences within the string.

In PFCm, the string service has an of_GlobalReplace function performing search repeated replace.

HTH /Michael

Comment

There are no comments made yet.

Page :
1

There are no replies made for this question yet.
However, you are not allowed to reply to this question.

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here. Register Here »

Forgot Password?

We use cookies which are necessary for the proper functioning of our websites. We also use cookies to analyze our traffic, improve your experience and provide social media features. If you continue to use this site, you consent to our use of cookies.