Risk of SQL injection when connection to AS/400 using JTOpen

Question

We are using JTOpen to connect to our AS/400 machine, and I'm trying to work out the risks of having SQL injection vulnearbility when using this type of integration.

Note that we are only using the call program part of the API - not the jdbc connection.

I am not a RPG programmer and do not have any knowledge of how the risks are in terms of getting SQL injection into the code, nor do I know if the JTOpen API stops these kinds of attacks.

I found out after a bit of googling that there is however possible to do SQL injections into RPGLE programs when they are'nt using stored procedures. So my question is that: Is this possible to do through the JTOpen api as well.

Do we need to programmatically check for SQL injections in all calls to the JTOpen API's ?

Answer 1

If you're not using JDBC, the only reason you would need to check for SQL injection is if you are using dynamic SQL in the programs called on the host using JT400.

If the programs running on the host don't use dynamic SQL, then there is no risk at all.

Answer 2

I am not a java guru so I will just use psuedo-code here.

Based on my understanding, you could use dynamic SQL but just don't concatenate your where statement together.

So string = "select * from table where key = " + id is completely wrong. You can, however, do something similar to

string = "select * from table where key = @id";
build connection
add parameter to assign value to @id
execute command

A better option though would be to use stored procedures.