From: arne@vajhoej.dk   
      
   On 11/11/2025 7:57 PM, Arne Vajhøj wrote:   
   > On 11/11/2025 3:59 PM, Lawrence D’Oliveiro wrote:   
   >> On Tue, 11 Nov 2025 15:23:29 -0000 (UTC), Waldek Hebisch wrote:   
   >>> Well, Cobol represents practices of 1960 business data processing.   
   >>> At that time it was state of the art. But state of the art changed.   
   >>> Cobol somewhat adapted but it slow to this.   
   >>   
   >> The example I like to mention is the rise of the SQL DBMS. These   
   >> became very important for “business data processingâ€� use in the 1980s.   
      
   >>                                  
   Â Â Â Â Â Â Â  And guess what: dynamic string   
   >> handling is something that was specifically left out of COBOL, because   
   >> it was not seen as important for “businessâ€� use.   
   >   
   > Nonsense.   
   >   
   > Cobol does dynamic string handling just fine.   
   >   
   > Not as good as Java, Python, PHP and other newer languages.   
   >   
   > But better than Fortran, C and many other common languages   
   > back then.   
   >   
   > (and I believe we have told you so before)   
      
   Demo:   
      
   $ type dynsql.eco   
           IDENTIFICATION DIVISION.   
           PROGRAM-ID. DYNSQL.   
      
           ENVIRONMENT DIVISION.   
           CONFIGURATION SECTION.   
           SPECIAL-NAMES.   
               ARGUMENT-VALUE IS COMMAND-LINE-ARGUMENT.   
           DATA DIVISION.   
           WORKING-STORAGE SECTION.   
           EXEC SQL INCLUDE SQLCA END-EXEC.   
           EXEC SQL BEGIN DECLARE SECTION END-EXEC.   
           01 CON PIC X(255).   
           01 USR PIC X(255).   
           01 PWD PIC X(255).   
           01 SQLSTR PIC X(255).   
           01 F1 PIC S9(9) BINARY.   
           01 F2 PIC X(50).   
           EXEC SQL END DECLARE SECTION END-EXEC.   
           01 TEMP PIC 9(9) DISPLAY.   
           01 F2VAL PIC X(50).   
      
           PROCEDURE DIVISION.   
           MAIN-PARAGRAPH.   
               MOVE "" TO F2VAL   
               ACCEPT F2VAL FROM COMMAND-LINE-ARGUMENT   
               MOVE "test" TO CON   
               MOVE "SYSADM" TO USR   
               MOVE "hemmeligt" TO PWD   
               EXEC SQL CONNECT TO :CON USER :USR USING :PWD END-EXEC   
               IF F2VAL = ""   
                   MOVE "SELECT f1,f2 FROM t1" TO SQLSTR   
               ELSE   
                   STRING "SELECT f1,f2 FROM t1 WHERE f2='"   
                          F2VAL   
                          "'" DELIMITED BY SIZE INTO SQLSTR   
               END-IF   
               EXEC SQL PREPARE 'mystmt' FROM :SQLSTR END-EXEC   
               EXEC SQL ALLOCATE 'mycurs' CURSOR FOR 'mystmt' END-EXEC   
               EXEC SQL OPEN 'mycurs' END-EXEC   
               MOVE 0 TO SQLCODE   
               PERFORM UNTIL NOT SQLCODE = 0   
                   EXEC SQL FETCH 'mycurs' INTO :f1, :f2 END-EXEC   
                   IF SQLCODE = 0 THEN   
                       MOVE F1 TO TEMP   
                       DISPLAY TEMP " " F2   
                   END-IF   
               END-PERFORM   
               EXEC SQL CLOSE 'mycurs' END-EXEC   
               STOP RUN.   
   $ esql/cobol dynsql   
      
   Mimer SQL Embedded SQL Preprocessor  Version 11.0.8E   
   Copyright (C) Mimer Information Technology AB. All rights reserved.   
      
   dynsql.eco   
      
   $ cobol/ansi dynsql   
   $ link dynsql + mimer$lib:mimer$sql/opt   
   $ mcr []dynsql   
   000000001 A   
   000000002 BB   
   000000003 CCC   
   $ mcr []dynsql BB   
   000000002 BB   
   $ mcr []dynsql "BB' OR 'X'='X"   
   000000001 A   
   000000002 BB   
   000000003 CCC   
      
   Voila. A Cobol program using embedded SQL vulnerable to   
   SQL injection. That is extremely rare!!   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)