RE: SQL Injection Concern

Jon,

        Yes that is a concern.  In our case data that goes into a table
is only data to be passed to the procedure, not part of an execute
immediate.=20


Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx]=20
Sent: Monday, January 10, 2005 11:33 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: SQL Injection Concern

  We've got a table listing stored programs that need to execute after
various application activity.  My first thought is to just use "execute
immediate" on the stored program.  But this will allow anyone to insert
a
row into our table and execute arbitrary code.  I'm interested in any
suggestions or solutions you've implemented to tighten up security in
such a
situation.

Thanks,
Jon Knight
Senior Database Analyst
2525 Horizon Lake Drive, Suite 120
Memphis, TN  38133
JKnight@xxxxxxxxxxxxxx
901.371.8000 - Phone
800.238.7675 - Phone
901.380.8336 - Fax
www.FirstData.com
First Data's merger with Concord creates "One Company" with enhanced
choice,
voice and innovation for all customers.

--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l

Other related posts: