• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

DB2 parameterized order by clause

Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need to write parameterized order by clause for my DB2 query. ( I have to prevent SQL Injection vulnerabilities).
I tried the " order by ? ?" < first ? for order by column name to provide> and <2nd for sort order>
select fname, lname from emp_name where fname =? and lname = ? order by ? ?

I am getting Error: COM.ibm.db2.jdbc.DB2Exception: [IBM][CLI Driver][DB2] SQL0418N A statement contains a use of an untyped parameter marker, the DEFAULT keyword, or a null value that is not valid. SQLSTATE=42610..." exception.

Order by clause depends on the column name from screen.
author & internet detective
Posts: 40169
Eclipse IDE VI Editor Java
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't parameterize the sort order. Instead, there are other approaches to deal with SQL injection in those columns.

A common approach is to have a list of valid column names. (You probably have that somewhere in the code from displaying it to the user on screen.) Then you validate that the column name passed from the screen matches one of those valid column names. If it does, you are safe from SQL Injection.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic