I need to write parameterized order by clause for my DB2 query. ( I have to prevent SQL Injection vulnerabilities).
I tried the " order by ? ?" < first ? for order by column name to provide> and <2nd for sort order>
select fname, lname from emp_name where fname =? and lname = ? order by ? ?
I am getting Error: COM.ibm.db2.jdbc.DB2Exception: [IBM][CLI Driver][DB2] SQL0418N A statement contains a use of an untyped parameter marker, the DEFAULT keyword, or a null value that is not valid. SQLSTATE=42610..." exception.
Order by clause depends on the column name from screen.
You can't parameterize the sort order. Instead, there are other approaches to deal with SQL injection in those columns.
A common approach is to have a list of valid column names. (You probably have that somewhere in the code from displaying it to the user on screen.) Then you validate that the column name passed from the screen matches one of those valid column names. If it does, you are safe from SQL Injection.