Re: New form of sql injection hack documented

• From: David Aldridge <david@xxxxxxxxxxxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Sun, 27 Apr 2008 18:12:24 -0700 (PDT)

So long story short ... use bind variables?


----- Original Message ----
From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS@xxxxxx>
To: oracle-l@xxxxxxxxxxxxx
Sent: Friday, April 25, 2008 10:07:39 AM
Subject: New form of sql injection hack documented


FYI 
yesterday,   david litchfield released a paper describing how a sql injection 
attack could be done on a pl/sql routine that does dynamic statement creation, 
even if the routine has no parameters and no user interaction.
it's an interesting read. 
http://www.davidlitchfield.com/blog/archives/00000041.htm 


---- 
Matt Adams - GE Consumer and Industrial 
Database Administration 
It will make sense as soon as you stop thinking logically 
and start thinking oracle-ly.  - Jim Droppa 

Other related posts:

• » New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » RE: New form of sql injection hack documented
• » RE: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » Re: New form of sql injection hack documented
• » RE: New form of sql injection hack documented

1. Home
2. oracle-l
3. Archive
4. 04-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---