DataFlex and SQL Injection
by
, 11-Feb-2011 at 04:55 AM (11265 Views)
Are Visual DataFlex projects that use one of the Data Access CLI connectivity kits (DB2 Connectivity Kit, ODBC Connectivty Kit and Microsoft SQL Server Connectivty Kit) vulnerable for attacks described as SQL Injection?
From time to time we get this question because people read about SQL injection and with the CLI drivers you talk via ODBC to an SQL based server. To answer this question correctly one first needs to understand what SQL injection really is. Let's look what Microsoft says about SQL Injection:
Source: Microsoft.SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives.
SQL Injection is thus when your application constructs an SQL statement based on values from input resources in an uncontrolled way. Input resources can be controls in your Windows or Web application, sequential I/O, webservices etc.
The Data Access CLI connectivity kits create SQL statements with parameters which are compiled before data is assigned to any of the parameters. For example the structure of an update instruction for a row in a table is:
After this statement construction, the statement will be compiled via an SQLPrepare operation without data. When successful, the data is added to the statement with SQLBind operations. Finally an SQLExecute is performed to really update the row in the table. Preparing statements is therefore a separate process which makes the Data Access CLI connectivity kits insensitive to SQL Injection.Code:UPDATE table SET field1 = ?, field2 = ?, … WHERE RECNUM = ?
The statement construction of the Data Access CLI connectivity kits is of course not limited to SQL UPDATE statements and also used for all other statements generated by the connectivity kits.
But what happens when you use Embedded SQL in your DataFlex applications? Can this be vulnerable? Yes, it can if you simply dynamically create a statement by concatenating strings. The examples you can find on internet about this are very clear about this. So, be careful. Next to the vulnerability one should limit the use of embedded SQL for the insert, update or delete operations because it will bypass the business rules in your DataDictionaries and, therefore, may harm the integrity of the data.