• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

DB2 parameterized order by clause

 
rahul manjule
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I need to write parameterized order by clause for my DB2 query. ( I have to prevent SQL Injection vulnerabilities).
I tried the " order by ? ?" < first ? for order by column name to provide> and <2nd for sort order>
select fname, lname from emp_name where fname =? and lname = ? order by ? ?

I am getting Error: COM.ibm.db2.jdbc.DB2Exception: [IBM][CLI Driver][DB2] SQL0418N A statement contains a use of an untyped parameter marker, the DEFAULT keyword, or a null value that is not valid. SQLSTATE=42610..." exception.

Order by clause depends on the column name from screen.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rahul,
You can't parameterize the sort order. Instead, there are other approaches to deal with SQL injection in those columns.

A common approach is to have a list of valid column names. (You probably have that somewhere in the code from displaying it to the user on screen.) Then you validate that the column name passed from the screen matches one of those valid column names. If it does, you are safe from SQL Injection.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic