RE: [U2] universe sockets
Why not just provide this via a browser? This is what we did when our clients turned up the day after they had lined up until midnight to buy their latest wonder toy at midnight. They were here @ 10am, and had a working prototype by midday and of course this application will also work on, say, a HTC running Windows Mobile ... anything with a browser Ross Ferris Stamina Software Visage Better by Design! -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2- us...@listserver.u2ug.org] On Behalf Of doug chanco Sent: Tuesday, 14 April 2009 11:56 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] universe sockets I hope so, because I would like to develop an in house iphone app that our users can use to query our database for prices/quantity available and sadly Apple only allows socket access to the closed iphone OS. If anyone has a pick server socket solution they would like to share I'd appriciate it (answering requests and spawning a program to handle each incoming request) otherwise I may go the route of moving the socket server to the OS (using init.d to handle incoming requests and to spawn a program to handle each request). But I think I am getting close (to getting a working non blocking pick socket server) and if I get it to work I'll post what I have to the web site. dougc -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of phil walker Sent: Monday, April 13, 2009 5:36 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] universe sockets Maybe someone could put an example of this on the U2ug website, or Brian could include it in his training materials if he has not already so that people have an idea how to accomplish this ;-). -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2- us...@listserver.u2ug.org] On Behalf Of Symeon Breen Sent: Tuesday, 14 April 2009 9:30 a.m. To: u2-users@listserver.u2ug.org Subject: RE: [U2] universe sockets We want to explore other connection options that are not tied to uniobjects so that if we decide to switch from universe to say database x we can do so easier. My only comment on this is don't go writing socket code just for this - just write a wrapper round the uniobjects code - so your code does not open a uniobjects connection and do read/write/select/run programs, it uses a class that you have written that in turn does this - pass a param to the class called DB and set it to uv - then when you want to switch to some other DB add the connectivity code to your class and away you go - basically you are building a DAL (Data access layer) upon which your BLL (business logic layer) works - the bll does not care what the DB is or how it communicates that is the job of your DAL. Rgds Symeon. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] universe sockets
Tony wrote Phil - The practice of separating the UI and DBMS is a Design Pattern called MVC or Model-View-Controller. There are many websites and books dedicated to the topic, and lots and lots of examples in any language you wish. I've described the concept in my blog here: Just to say that MVC is 'a' method of doing this - there are many and is just general good practice. My advise (and that of Microsoft) is only use MVC if you really have to !! --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] universe sockets
I wrote u2pipe with a simple request/response socket model in mind: http://www.pickwiki.com/cgi-bin/wiki.pl?U2pipe You can also see other possible ways to do this: http://www.pickwiki.com/cgi-bin/wiki.pl?CreateWebInterfaces rex doug chanco wrote: If anyone has a pick server socket solution they would like to share I'd appriciate it (answering requests and spawning a program to handle each incoming request) otherwise I may go the route of moving the socket server to the OS (using init.d to handle incoming requests and to spawn a program to handle each request). --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
[U2] DataStage and UniData
Is anyone live with DataStage and UniData? I am interested in success stories as well as any suggestions for success. In this case the site would be going from UniData to Cognos on Oracle. Thanks. --dawn -- Dawn M. Wolthuis Take and give some delight today --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] universe sockets
very interesting points, email me at my home address and lets talk price (mostly for some examples/ideas/etc) dougc Tony G wrote: From: doug chanco ...I would like to develop an in house iphone app that our users can use to query our database for prices/quantity available and sadly Apple only allows socket access to the closed iphone OS. Use a web service from Objective C, which is relatively easy with iPhone. (Offer to assist can be inferred.) Separate the client from the server. iPhone apps have nothing to do with data access. Create a web service and you can use it from any client. Think indirectly and the world can open up for you. :) If anyone has a pick server socket solution they would like to share I'd appriciate it (answering requests and spawning a program to handle each incoming request) If you can deal with a single threaded server it might work. Unfortunately in the MV world I don't believe you will be able to fork off processes like an HTTP server. otherwise I may go the route of moving the socket server to the OS (using init.d to handle incoming requests and to spawn a program to handle each request). Hmm, that sounds like... http://sourceforge.net/projects/mvwww/ (My name is there but Glen did ALL the work) Modify your perspective and you can have a solution in a week. The current line of inquiry is more likely to lead to weeks or months of searching, angst, and failure. Good luck. Tony Gravagno Nebula Research and Development TG@ remove.pleaseNebula-RnD.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] DataStage and UniData
We have been pulling data nightly from Unidata using Datastage and moving it over to Oracle for at least 10 years. -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of Dawn Wolthuis Sent: Tuesday, April 14, 2009 8:17 AM To: u2-users@listserver.u2ug.org Subject: [U2] DataStage and UniData Is anyone live with DataStage and UniData? I am interested in success stories as well as any suggestions for success. In this case the site would be going from UniData to Cognos on Oracle. Thanks. --dawn -- Dawn M. Wolthuis Take and give some delight today --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] universe sockets
Rex Gozar wrote: I wrote u2pipe with a simple request/response socket model in mind: http://www.pickwiki.com/cgi-bin/wiki.pl?U2pipe This looks very interesting but I have one question is it tied to wininetd/the client? (could I for example just open a raw socket to whatever port I bound it to and send/receive data from any system)? from what I can gather this is tied to the client system, which makes sense since you refer to it as a way to connect a web server to a pick DBMS dougc --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] DataStage and UniData
We have a staff of 3 people that deal with Datastage and the warehouse on Oracle. I think everything goes smoothly for that group as far as I can tell. We are trapped on an older release of Datastage. I have asked about going to a new release and was told that most of our Datastage jobs would have to be redeveloped in order to go to the newer release. I can't tell you why this is or if it really is true. I think there are some nice features in the newer Datastage products. But apparently this is not a priority as it is not broken and does not need fixing here I guess. I believe Universe is still central to the product we use. I am not sure if this is still the case in the newer releases. If you want to email me, I can put you in touch with one of our Datastage people if you have other questions. - Rod -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of Dawn Wolthuis Sent: Tuesday, April 14, 2009 9:39 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] DataStage and UniData Good deal. I gather you are happy with DataStage? By the way, does it still have a derivative of Universe inside or did they migrate it to something else? --dawn On Tue, Apr 14, 2009 at 9:24 AM, Baakkonen, Rodney A (Rod) 46K rodney.baakko...@cigna.com wrote: We have been pulling data nightly from Unidata using Datastage and moving it over to Oracle for at least 10 years. -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of Dawn Wolthuis Sent: Tuesday, April 14, 2009 8:17 AM To: u2-users@listserver.u2ug.org Subject: [U2] DataStage and UniData Is anyone live with DataStage and UniData? I am interested in success stories as well as any suggestions for success. In this case the site would be going from UniData to Cognos on Oracle. Thanks. --dawn -- Dawn M. Wolthuis Take and give some delight today --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Dawn M. Wolthuis Take and give some delight today --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
[U2] Select Problem
I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Select Problem
It's because 1A means one numeric character. If you surround the literal in single quotes it'll work fine: sselect ITMMST WITH F2 LIKE ...'J1A'... (6,213 keys - wrong) Ed -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of Israel, John R. Sent: 14 April 2009 17:07 To: 'u2-users@listserver.u2ug.org' Subject: [U2] Select Problem I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- Please remember to recycle wherever possible. Reduce, reuse, recycle, think do you need to print this e-mail? --- This e-mail and any attachment(s), is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the addressee, dissemination, copying or use of this e-mail or any of its content is prohibited and may be unlawful. If you are not the intended recipient please inform the sender immediately and destroy the e-mail, any attachment(s) and any copies. All liability for viruses is excluded to the fullest extent permitted by law. It is your responsibility to scan or otherwise check this email and any attachment(s). Unless otherwise stated (i) views expressed in this message are those of the individual sender (ii) no contract may be construed by this e-mail. Emails may be monitored and you are taken to consent to this monitoring. Civica Services Limited, Company No. 02374268; Civica UK Limited, Company No. 01628868 Both companies are registered in England and Wales and each has its registered office at 2 Burston Road, Putney, London, SW15 6AR. --- --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Select Problem
It's using it like matching. Jerry Banker -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of Israel, John R. Sent: Tuesday, April 14, 2009 11:07 AM To: 'u2-users@listserver.u2ug.org' Subject: [U2] Select Problem I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] universe sockets
On windows, u2pipe uses wininetd; on unix or linux it can be used with either inetd or xinetd (with xinetd you can limit the number of simultaneous connections; pending requests get queued.) I'm not sure I understand your question, but wininetd/inetd/xinetd can listen on any port you specify, receiving raw requests from any system and sending back any kind of response data. So the requester (i.e. client) can be a browser, web server, or ANY other program that can interact with sockets. While you can write a socket listener in Universe basic, it can't be completely fault tolerant; the process can block or hang. Wininetd/u2pipe sidesteps the issue by spawning a new process for each individual request. rex doug chanco wrote: is it tied to wininetd/the client? (could I for example just open a raw socket to whatever port I bound it to and send/receive data from any system)? from what I can gather this is tied to the client system, which makes sense since you refer to it as a way to connect a web server to a pick DBMS --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Select Problem
Is it taking 1A as a mask? One Alphanumeric character? How many do you get with ...J...? Charles Shaffer Senior Analyst NTN-Bower Corporation Israel, John R. johnisr...@daytonsuperior.com Sent by: owner-u2-us...@listserver.u2ug.org 04/14/2009 11:06 AM Please respond to u2-users To: 'u2-users@listserver.u2ug.org' u2-users@listserver.u2ug.org cc: Subject:[U2] Select Problem I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Select Problem
Thanks for all the replies. Yeah, it was doing a pattern match, but not one that I would have expected. The ...J1A... was returning anything with a J in F2. I am guessing the 1A was causing it to think I wanted anything with alpha in it, though I would have thought the 1A would have returned just a single character match, not any length, and how the J played into this in conjunction with the pattern match is something I have never seen. However, the syntax I ultimately needed was provided by Ed: ...'J1A' Thanks again to all. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 937-866-0711 x44380 -Original Message- From: owner-u2-us...@listserver.u2ug.org [mailto:owner-u2-us...@listserver.u2ug.org] On Behalf Of charles_shaf...@ntn-bower.com Sent: Tuesday, April 14, 2009 2:02 PM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Select Problem Is it taking 1A as a mask? One Alphanumeric character? How many do you get with ...J...? Charles Shaffer Senior Analyst NTN-Bower Corporation Israel, John R. johnisr...@daytonsuperior.com Sent by: owner-u2-us...@listserver.u2ug.org 04/14/2009 11:06 AM Please respond to u2-users To: 'u2-users@listserver.u2ug.org' u2-users@listserver.u2ug.org cc: Subject:[U2] Select Problem I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Select Problem
The 1A in ...J1A... is a valid pattern. So this string will match anything that contains a J followed by an alpha character. If you want to match J1A literally, you need to quote it, i.e. ...J'1A'... or 0X'J1A'0X On Apr 14, 2009, at 12:06 PM, Israel, John R. wrote: I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Select Problem
This is the notorious matching issue 1A is a valid match string for 1 alphabetic character. From: johnisr...@daytonsuperior.com To: u2-users@listserver.u2ug.org Date: Tue, 14 Apr 2009 12:06:30 -0400 Subject: [U2] Select Problem I have just encountered an inconsistency between the native UniData select and the PICK flavored select. From a PICK flavored account, it I use the lower case sselect to force native UniData syntax, I get: sselect ITMMST WITH F2 LIKE ...J1A... (6,213 keys - wrong) If I immediately follow this with the PICK select: SELECT ITMMST WITH F2 = [J1A] (No keys - correct) These two statements SHOULD return the same results. Interestingly, if I use a less restrictive select (search for J1 instead of J1A), I get the following: sselect ITMMST WITH F2 LIKE ...J1... (188 keys which is correct) I am guessing that the UniData flavor is treating the J1A as something else, but until I can figure out what it is doing, I can not come up with a work-around. John Israel Sr. Programmer/Analyst Dayton Superior Corporation 721 Richard St. Dayton, OH 45342 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ _ Rediscover Hotmail.: Now available on your iPhone or BlackBerry http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobi le1_042009 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] universe sockets
I am sure people are bored with all this socket talk, can I email you off list because I am missing something between your web page documentation and what you said below dougc Rex Gozar wrote: On windows, u2pipe uses wininetd; on unix or linux it can be used with either inetd or xinetd (with xinetd you can limit the number of simultaneous connections; pending requests get queued.) I'm not sure I understand your question, but wininetd/inetd/xinetd can listen on any port you specify, receiving raw requests from any system and sending back any kind of response data. So the requester (i.e. client) can be a browser, web server, or ANY other program that can interact with sockets. While you can write a socket listener in Universe basic, it can't be completely fault tolerant; the process can block or hang. Wininetd/u2pipe sidesteps the issue by spawning a new process for each individual request. rex doug chanco wrote: is it tied to wininetd/the client? (could I for example just open a raw socket to whatever port I bound it to and send/receive data from any system)? from what I can gather this is tied to the client system, which makes sense since you refer to it as a way to connect a web server to a pick DBMS --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SQL Injection (was Select Problem)
From: Israel, John Thanks for all the replies. Yeah, it was doing a pattern match, but not one that I would have expected... It's precisely due to issues like this that I recommend unaudited/unfiltered end-user input never be used in queries. This is the definition of SQL injection which plagues almost every developer using a relational database. Most MV developers are unaware of this concept or simply ignore it until something bad happens. The problem is greatest in open source code where a bad guy can easily find out exactly how the query is structured. It's less of a problem when the source isn't available - and that means most of us. Nevertheless people should be aware of the potential vulnerability. Example: You have salesreps who should only have access to order data for their own territory. Your report generation code looks something like this: MY.TERR = SALESREP.REC33 * assume value is 123 for current rep INPUT FISCAL.PERIOD STMT = \SSELECT ORDERS\ STMT := \ WITH TERRITORY \:MY.TERR:\\ STMT := \ AND WITH PERIOD \:FISCAL.PERIOD:\\ EXECUTE STMT ... generate report The territory is hardcoded, seemingly secure. What if the input is as follows? 02 OR WITH TERRITORY NOT The query becomes: SSELECT ORDERS WITH TERRITORY 123 AND WITH PERIOD 02 OR WITH TERRITORY NOT In short the rep gets a listing of all customers that do not have a null territory. Imagine what can happen if someone knows how to use EVAL. What if this is a web user entering their own user ID into textbox and you pass that input into a select so that they can see their order data? They could conceivably see order data for all of your customers. How do you fix the vulnerability? In this case, filter the input of FISCAL.PERIOD to make sure it's numeric, doesn't contain spaces or quotes, and maybe that it is in the range of 1 to 12 (or however many periods you have). Never pass user input directly into a select statement. This was off the top of my head so please forgive any issue with the details but the general point should be clear. HTH Tony Gravagno Nebula Research and Development TG@ remove.pleaseNebula-RnD.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SQL Injection (was Select Problem)
Point well taken. However, in this case it is a partial part description search from a web page, so the user could type anything. I have locked this down every way I can think of (I have to deal with it otherwise and I hate addressing the same issue more than once). There is other criteria that will always run as well, but again, a search on a partial description has to be somewhat wide open. John -- Sent using BlackBerry - Original Message - From: owner-u2-us...@listserver.u2ug.org owner-u2-us...@listserver.u2ug.org To: u2-users@listserver.u2ug.org u2-users@listserver.u2ug.org Sent: Tue Apr 14 18:23:45 2009 Subject: RE: [U2] SQL Injection (was Select Problem) From: Israel, John Thanks for all the replies. Yeah, it was doing a pattern match, but not one that I would have expected... It's precisely due to issues like this that I recommend unaudited/unfiltered end-user input never be used in queries. This is the definition of SQL injection which plagues almost every developer using a relational database. Most MV developers are unaware of this concept or simply ignore it until something bad happens. The problem is greatest in open source code where a bad guy can easily find out exactly how the query is structured. It's less of a problem when the source isn't available - and that means most of us. Nevertheless people should be aware of the potential vulnerability. Example: You have salesreps who should only have access to order data for their own territory. Your report generation code looks something like this: MY.TERR = SALESREP.REC33 * assume value is 123 for current rep INPUT FISCAL.PERIOD STMT = \SSELECT ORDERS\ STMT := \ WITH TERRITORY \:MY.TERR:\\ STMT := \ AND WITH PERIOD \:FISCAL.PERIOD:\\ EXECUTE STMT ... generate report The territory is hardcoded, seemingly secure. What if the input is as follows? 02 OR WITH TERRITORY NOT The query becomes: SSELECT ORDERS WITH TERRITORY 123 AND WITH PERIOD 02 OR WITH TERRITORY NOT In short the rep gets a listing of all customers that do not have a null territory. Imagine what can happen if someone knows how to use EVAL. What if this is a web user entering their own user ID into textbox and you pass that input into a select so that they can see their order data? They could conceivably see order data for all of your customers. How do you fix the vulnerability? In this case, filter the input of FISCAL.PERIOD to make sure it's numeric, doesn't contain spaces or quotes, and maybe that it is in the range of 1 to 12 (or however many periods you have). Never pass user input directly into a select statement. This was off the top of my head so please forgive any issue with the details but the general point should be clear. HTH Tony Gravagno Nebula Research and Development TG@ remove.pleaseNebula-RnD.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
