Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

RBF SQL Injection

Recently got this error web page:

Error

CRRBF0558I: Failed SQL query: [org.apache.commons.dbcp.DelegatingPreparedStatement@be00be] => [com.microsoft.sqlserver.jdbc.SQLServerException: Incorrect syntax near the keyword 'Key'.]
Copyright International Business Machines Corporation 2003, 2006. All rights reserved


Suggest you don't use SQL keywords in BOM fields.

Yes, we're going to file a PMR.

Safe driving

0 votes



2 answers

Permanent link
raised it.

0 votes


Permanent link
I've discussed this with L2. What is going on here is that through a .bom setcolumn command, you have inserted data that causes a syntax error when querying your bom tables. This is technically sql injection, and this is a defect that needs to be addressed.

However, the field used for inserting this data is already scrubbed against non-word characters, but it is not scrubbed for all keywords for all supported databases. This does not create a vulnerability that can be exploited to modify or gain unauthorized access to the database.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Jan 09 '12, 3:00 a.m.

Question was seen: 7,641 times

Last updated: Jan 09 '12, 3:00 a.m.

Confirmation Cancel Confirm