View RSS Feed

Development Team Blog

DataFlex and SQL Injection

Rate this Entry
Are Visual DataFlex projects that use one of the Data Access CLI connectivity kits (DB2 Connectivity Kit, ODBC Connectivty Kit and Microsoft SQL Server Connectivty Kit) vulnerable for attacks described as SQL Injection?

From time to time we get this question because people read about SQL injection and with the CLI drivers you talk via ODBC to an SQL based server. To answer this question correctly one first needs to understand what SQL injection really is. Let's look what Microsoft says about SQL Injection:
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives.
Source: Microsoft.

SQL Injection is thus when your application constructs an SQL statement based on values from input resources in an uncontrolled way. Input resources can be controls in your Windows or Web application, sequential I/O, webservices etc.

The Data Access CLI connectivity kits create SQL statements with parameters which are compiled before data is assigned to any of the parameters. For example the structure of an update instruction for a row in a table is:

Code:
UPDATE table SET field1 = ?, field2 = ?, … WHERE RECNUM = ?
After this statement construction, the statement will be compiled via an SQLPrepare operation without data. When successful, the data is added to the statement with SQLBind operations. Finally an SQLExecute is performed to really update the row in the table. Preparing statements is therefore a separate process which makes the Data Access CLI connectivity kits insensitive to SQL Injection.

The statement construction of the Data Access CLI connectivity kits is of course not limited to SQL UPDATE statements and also used for all other statements generated by the connectivity kits.

But what happens when you use Embedded SQL in your DataFlex applications? Can this be vulnerable? Yes, it can if you simply dynamically create a statement by concatenating strings. The examples you can find on internet about this are very clear about this. So, be careful. Next to the vulnerability one should limit the use of embedded SQL for the insert, update or delete operations because it will bypass the business rules in your DataDictionaries and, therefore, may harm the integrity of the data.

Comments

  1. A Paul Anthony's Avatar
    Where is this SQLBind you speak of? I'd love to be able to do this. I figured out we could prepare statements but never managed to be able to pass in the arguments. There's a SQLBindFile which can be used to pull back an a result set into a file buffer, but I can't find one to set our own argument values.

    Without the ability to bind value with my own ESQL statements, I'm left to use the next best thing (which really isn't) and have a series of helper functions to carefully escape and cast values for me :-(