Re: SQL Injection Concern

• From: Mladen Gogala <mgogala@xxxxxxxxxxxxxxxxxxxx>
• To: thomas.mercadante@xxxxxxxxxxxxxxxxx
• Date: Mon, 10 Jan 2005 13:47:37 -0500

Mercadante, Thomas F wrote:

>Jon,
>
>You make a table read-only by granting only "read" access to it.
>
>Tom
> 
>-----Original Message-----
>From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] 
>Sent: Monday, January 10, 2005 12:25 PM
>To: oracle-l@xxxxxxxxxxxxx
>Subject: RE: SQL Injection Concern
>
>Thanks all for the suggestions.  BTW, We have an upgrade on the way, but
>we're still on 8i ...
>
>A read-only table is new to me.  How do I make it read only?  By putting it
>in a read only tablespace?  Or, is there another way?
>
>Thanks,
>Jon
>
> -----Original Message-----
>From:  Mercadante, Thomas F [mailto:thomas.mercadante@xxxxxxxxxxxxxxxxx] 
>Sent:  Monday, January 10, 2005 10:48 AM
>To:    'jknight@xxxxxxxxxxxxxx'; oracle-l@xxxxxxxxxxxxx
>Subject:       RE: SQL Injection Concern
>
>Can you not control what gets put into this table?  Make it read-only?
>
>-----Original Message-----
>From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] 
>Sent: Monday, January 10, 2005 11:33 AM
>To: oracle-l@xxxxxxxxxxxxx
>Subject: SQL Injection Concern
>
>  We've got a table listing stored programs that need to execute after
>various application activity.  My first thought is to just use "execute
>immediate" on the stored program.  But this will allow anyone to insert a
>row into our table and execute arbitrary code.  I'm interested in any
>suggestions or solutions you've implemented to tighten up security in such a
>situation.
>
>Thanks,
>Jon Knight
>Senior Database Analyst
>2525 Horizon Lake Drive, Suite 120
>Memphis, TN  38133
>JKnight@xxxxxxxxxxxxxx
>901.371.8000 - Phone
>800.238.7675 - Phone
>901.380.8336 - Fax
>www.FirstData.com
>First Data's merger with Concord creates "One Company" with enhanced choice,
>voice and innovation for all customers.
>
>  
>
create or replace trigger readonly
before insert, update or delete
begin
raise_application_error(-20001,'Table is READ ONLY. Please restart the 
database and retry');
end;



-- 
Mladen Gogala
Oracle DBA
Ext. 121


--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: SQL Injection Concern
    • From: Pete Finnigan

• References:
  • RE: SQL Injection Concern
    • From: Mercadante, Thomas F

Other related posts:

• » SQL Injection Concern
• » RE: SQL Injection Concern
• » RE: SQL Injection Concern
• » Re: SQL Injection Concern
• » RE: SQL Injection Concern
• » RE: SQL Injection Concern
• » Re: SQL Injection Concern
• » RE: SQL Injection Concern
• » RE: SQL Injection Concern
• » Re: SQL Injection Concern
• » Re: SQL Injection Concern

1. Home
2. oracle-l
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---