Thursday, July 4, 2019

COBOL/DB2 SQL Injection

I am investigating a possible SQL injection bug in some COBOL code. The code uses host variables to submit the statement to a DB2 database. e.g.




EXEC SQL INSERT INTO TBL (a, b, c) VALUES (:x, :y, :z) END-EXEC


Can anyone tell me if this method would be vulnerable to an SQLi attack or if the way COBOL/DB2 parses the host variables means that it would be impossible to execute?



Every thing I read suggests there are better ways to protect against SQLi but the IBM website does mention using host variables but doesn't explain if it would totally mitigate against the attack.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...