 |
|||||
|
As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Join the TIBCO Community
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community. | |||||
Focal Point 
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point [CLOSED] Parameter validation and sql passthru
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point [CLOSED] Parameter validation and sql passthru Read-Only TopicGo | Search | Notify | Tools |
| [CLOSED] Parameter validation and sql passthru | Login/Join |
| Member |
Hi, I am using a sql passthru that uses a user supplied parameter such as: select * from test where id = to_number(&SOURCE) the problem I am having is that I can send in a value for the SOURCE parameter like: 1) union select * from test union (select * from test this will allow the sql to run and return w\o errors. The query the runs would look like: select * from test where id = to_number(1) union select * from test union (select * from test) Is there any way\setting in IBI to make sure something like this won't happen? Thanks, ManishThis message has been edited. Last edited by: Kerry, WebFOCUS 7.6 Windows, All Outputs | ||
|
| Master |
This should help. I tested it using what you provided.
-SET &ECHO=OFF;
DEFINE FUNCTION ISNUMERIC(FLD/A20, POSITION/I2)
FLD/A1 = SUBSTR(20, FLD, POSITION, POSITION+1, 1, FLD);
ISNUMERIC/A5 = IF FLD GE '0' AND FLD LE '9' THEN 'TRUE' ELSE 'FALSE';
END
-RUN
-SET &CHECKGOOD = 'TRUE';
-REPEAT :LOOP FOR &POS FROM 1 TO &SOURCE.LENGTH
-SET &VAL = ISNUMERIC('&SOURCE.EVAL', &POS);
-IF &VAL EQ 'FALSE' THEN GOTO :NOTVALID;
-:LOOP
-TYPE Thank you for enter a valid NUMERICAL value for SOURCE!
-GOTO :END
-:NOTVALID
-TYPE You entry for source is invalid.
-TYPE &SOURCE
-TYPE Please enter a valid NUMERICAL value for SOURCE!
-:END
Scott  | |||
|
| Master |
While the above example does work and show how you could do it. An easier way to check if it is numeric is -SET &TYP = &SOURCE.TYPE; &TYP will be A for Alpha or N for Numeric. Scott | |||
|
| Member |
Thanks! Any idea on what to do when the input can be a string? Such as : select * from test name = '&SOURCE' I can send a string such as : 1' union select * from test where name is not null or name = ' So I get: select * from test name = '1' union select * from test where name is not null or name = '' Can this type of injection also occur using the FOCUS? How would I stop that? Thanks! WebFOCUS 7.6 Windows, All Outputs | |||
|
| Master |
you might try use CONTAINS in an IF statement and see of the value contains the word SELECT. PS for your test convert the field to upper or lower case then it makes your IF statement a lot easier. If CONTAINS does not work you could use the POSIT function. Scott | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
Read-Only TopicFocal Point Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point [CLOSED] Parameter validation and sql passthru
Focal Point Forums WebFOCUS/FOCUS Forum on Focal Point [CLOSED] Parameter validation and sql passthruCopyright © 1996-2020 Information Builders
| View $GS_USERNAME's Public Profile |
| Add $GS_USERNAME to my Ignore List |
| View Recent Posts by $GS_USERNAME |
| Notify me of New Posts by $GS_USERNAME |