# Database Discussions > IBM DB2 >  DB2 SQL Injection

## gregsohl

Is DB2 suceptible to SQL Injection as other databases are, for example Oracle and SQL Server? Does it allow compound/multiple statements separated by a semicolon?

Thanks.

Greg

----------


## wwwales

Hi,
  Any database that understands SQL queries can be vulnerable to SQL Injection attacks as the attack is done by using the SQL language and not vulnerablities in the different types of database applications. The easiest way to protect yourself against it is to disallow any valid SQL commands\text e.g. ' " ! If the validation on your text entry box is configured to drop any queries with these characters then the SQL injection will fail.

Hope that helps!

Cheers wwwales

Internet & Web Security Consultants
www.iwsec.co.uk

----------


## gregsohl

Thanks wwwales for your reply. Unfortunately it didn't really get to the heart of my question. I have a world full of general information but was looking for specifics on DB2.

Thanks again.

Greg

----------


## Dan Scott

To avoid SQL injection with DB2, you should use prepared statements with parameter markers: db2_prepare() / db2_execute() if you're using the ibm_db2 PECL extension, PDO: :Stick Out Tongue: repare() / PDOStatement::execute() if you're using PDO.

A prepared statement generally looks like this:

SELECT credit_card, expiry FROM table WHERE user = ? AND password = ?

Each ? in the prepared statement is then replaced by exactly one variable that you either bind (using something like db2_bind_param()) or pass as an array to the execute() function. This prevents the most common sort of vulnerability where a user passes in a value like:

1' OR 1 = 1

to trick plain old PHP variable interpolation (as is commonly used in mysql_query() and friends) into adding an extra clause to the SQL statement.

The execute() function will bind that input value to exactly one parameter (so that password really is compared against "1' OR 1 = 1" rather than just 1 with the additional, always true OR clause appended to the statement).

Note that it also automatically handles quoting of string values for you -- really nice.

----------


## gregsohl

Dan,

Thanks for the good information.

Do you have answers to my original questions? I assume you are answering in the afirmative for th first question. How about the second?

>> Is DB2 suceptible to SQL Injection as other databases are, for example Oracle and SQL Server? Does it allow compound/multiple statements separated by a semicolon?<<

Thanks again.

Greg

----------

