Re: Article on new mainframe use

On Fri, 16 Aug 2024 02:05:27 -0000 (UTC), Lawrence D'Oliveiro
<ldo@nz.invalid> wrote:

The best way to interface to [relational] DBMS was to be able to generate SQL
strings on the fly; but this required some facility with manipulation of
dynamic, variable-length strings, which COBOL completely lacked. And so
special extensions were tacked on, just to cope with the generation of SQL
queries and templates.

You mean the *WORST* way.

Just about every SQL injection attack is made possible by programmers
dynamically generating queries.  Most[1] attacks can be prevented
simply by proper use of SQL parameters.


There are only a few situations in which dynamic SQL actually is
necessary - it is not possible to specify table or column names using
parameters, so to reuse a query with a different table or column name
does require generating new query text.

Some applications do have a need to do this - but in most cases the
names to use will be known statically, will be predictable (e.g., date
related), or, if necessary, can be discovered by querying the database
schema - so they should not be provided by user input.

The only exception is to permit a user to create a new *custom* table
type ... but there is little/no need for most applications to do this.
Most applications that must create new tables at runtime know what
names to use, and/or how to generate them, and do not need any input
from a user to do so.

If creating custom table types with user specified names even is
permitted by the application, it should be an operation reserved to
privileged users [presumably who know what they are doing].


---
[1] many RDBMS now directly support JSON and/or XML data, and it is
possible via SQL parameters to inject false "path" information for
working with these data types.  To guard against this the application
itself has to be aware of the data layout.