Results 1 to 5 of 5

Thread: DB2 SQL Injection

  1. #1
    Join Date
    Apr 2005
    Posts
    3

    DB2 SQL Injection

    Is DB2 suceptible to SQL Injection as other databases are, for example Oracle and SQL Server? Does it allow compound/multiple statements separated by a semicolon?

    Thanks.

    Greg

  2. #2
    Join Date
    Sep 2005
    Posts
    1

    DB2 SQL Injection

    Hi,
    Any database that understands SQL queries can be vulnerable to SQL Injection attacks as the attack is done by using the SQL language and not vulnerablities in the different types of database applications. The easiest way to protect yourself against it is to disallow any valid SQL commands\text e.g. ' " ! If the validation on your text entry box is configured to drop any queries with these characters then the SQL injection will fail.

    Hope that helps!

    Cheers wwwales

    Internet & Web Security Consultants
    www.iwsec.co.uk

  3. #3
    Join Date
    Apr 2005
    Posts
    3
    Thanks wwwales for your reply. Unfortunately it didn't really get to the heart of my question. I have a world full of general information but was looking for specifics on DB2.

    Thanks again.

    Greg

  4. #4
    Join Date
    Oct 2005
    Posts
    1

    DB2 and SQL injection

    To avoid SQL injection with DB2, you should use prepared statements with parameter markers: db2_prepare() / db2_execute() if you're using the ibm_db2 PECL extension, PDO:repare() / PDOStatement::execute() if you're using PDO.

    A prepared statement generally looks like this:

    SELECT credit_card, expiry FROM table WHERE user = ? AND password = ?

    Each ? in the prepared statement is then replaced by exactly one variable that you either bind (using something like db2_bind_param()) or pass as an array to the execute() function. This prevents the most common sort of vulnerability where a user passes in a value like:

    1' OR 1 = 1

    to trick plain old PHP variable interpolation (as is commonly used in mysql_query() and friends) into adding an extra clause to the SQL statement.

    The execute() function will bind that input value to exactly one parameter (so that password really is compared against "1' OR 1 = 1" rather than just 1 with the additional, always true OR clause appended to the statement).

    Note that it also automatically handles quoting of string values for you -- really nice.

  5. #5
    Join Date
    Apr 2005
    Posts
    3
    Dan,

    Thanks for the good information.

    Do you have answers to my original questions? I assume you are answering in the afirmative for th first question. How about the second?

    >> Is DB2 suceptible to SQL Injection as other databases are, for example Oracle and SQL Server? Does it allow compound/multiple statements separated by a semicolon?<<

    Thanks again.

    Greg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •