Re: New form of sql injection hack documented
- From: "Niall Litchfield" <niall.litchfield@xxxxxxxxx>
- To: robertgfreeman@xxxxxxxxx
- Date: Mon, 28 Apr 2008 06:41:10 +0100
As in wwv_execute_immediate, perhaps.
Niall
On Mon, Apr 28, 2008 at 5:40 AM, Robert Freeman <robertgfreeman@xxxxxxxxx>
wrote:
> and be wary of any dynamic SQL! :-) That execute immediate stuff scares
> the willies out of me! :)
>
> Robert G. Freeman
> Author:
> Oracle Database 11g New Features (Oracle Press)
> Portable DBA: Oracle (Oracle Press)
> Oracle Database 10g New Features (Oracle Press)
> Oracle9i RMAN Backup and Recovery (Oracle Press)
> Oracle9i New Feature
> Blog: http://robertgfreeman.blogspot.com (Oracle Press)
>
> ----- Original Message ----
> From: David Aldridge <david@xxxxxxxxxxxxxxxxxx>
> To: oracle-l@xxxxxxxxxxxxx
> Sent: Sunday, April 27, 2008 7:12:24 PM
> Subject: Re: New form of sql injection hack documented
>
> So long story short ... use bind variables?
>
> ----- Original Message ----
> From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS@xxxxxx>
> To: oracle-l@xxxxxxxxxxxxx
> Sent: Friday, April 25, 2008 10:07:39 AM
> Subject: New form of sql injection hack documented
>
> FYI
>
> yesterday, david litchfield released a paper describing how a sql
> injection attack could be done on a pl/sql routine that does dynamic
> statement creation, even if the routine has no parameters and no user
> interaction.
>
> it's an interesting read.
>
> *http://www.davidlitchfield.com/blog/archives/00000041.htm*<http://www.davidlitchfield.com/blog/archives/00000041.htm>
>
> ----
> Matt Adams - GE Consumer and Industrial
> Database Administration
> It will make sense as soon as you stop thinking logically
> and start thinking oracle-ly. - Jim Droppa
>
>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
Other related posts:
