Last year I attended a technical conference. One of the sessions that was presented by Tim Rowe. It was about how you can do a webservice with only SQL (no RPG code needed). I created a webservice that queries a couple of tables to return two fields. The query allows you to pass the customer's ID to the query. I created an HTML page to call the webservice with some Javascript. Our security team flagged it as a potential risk for SQL injection. I'm wondering is there something in the webservice definition I can do that would prevent this from being flagged as a SQL injection risk? The query is only expecting a 7-character customer ID.
------------------------------
Michael Soucy
------------------------------