Is COBOL/DB2 SQL Injection vulnerable for attacks?

Question

I am trying to find A sql bug in some COBOL code. This code contains host variables to submit the statement to DB2 database as:

EXEC SQL INSERT INTO TBL (a, b, c) VALUES (:x, :y, :z) END-EXEC

Could you please tell me if this method would be vulnerable to an SQLi attack or is there any way COBOL/DB2 parses the host variables which means is it impossible to execute.

Answer 1

Host variables static statements are not at all susceptible to SQL injection attacks.

But Non-parameterized dynamic statements are the concern. They look like the following: 

STRING "INSERT INTO TBL (a,b,c) VALUES ("

         X ", " 

         Y ", "

         Z ")" INTO WSQLSTMT.

EXEC SQL PREPARE MYSTMT FROM :WSQLSTMT END-EXEC.

EXEC SQL EXECUTE MYSTMT END-EXEC.

You can also use EXECUTE IMMEDIATE, instead of the two step PREPARE and EXECUTE

We can see the parameterized dynamic query as:

STRING "INSERT INTO TBL (a,b,c) VALUES (?, ?, ?)" INTO WSQLSTMT.

EXEC SQL PREPARE MYSTMT FROM :WSQLSTMT END-EXEC.

EXEC SQL EXECUTE MYSTMT USING :X, :Y, :Z END-EXEC.

Therefore a static query with host variables is completely SAFE as is a parameterized dynamic query. A non-parameterized query that directly uses the user input to build the SQL statement to execute is NOT SAFE. You need to compile the statement in advance before the runtime values of the variables.

If you want to get more insights into SQL, check out this SQL Course from Intellipaat.