Use of bind variable alone will not make an application completely SQL
injection proof. It depends on how the application uses the bind variables
especially if the bind variables are used to form dynamic SQL within the
application. The following is not as good an example as I have seen but it
should be enough to make the point:
http://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks/8265319#8265319
Any routine that performs dynamic DDL based on input is especially worth
review from an SQL injection point of view.
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> on behalf
of Mladen Gogala <gogala.mladen@xxxxxxxxx>
Sent: Saturday, March 25, 2017 5:56:13 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: SQL Injection monitoring/protection tools
SQL Injection is only possible in the applications which use string
concatenation with the fields from web forms, to create SQL which will then be
executed. In addition to being prone to SQL injection, like in the famous
"Bobby tables" comic, this also doesn't perform well, because the generated SQL
uses constants and needs to undergo hard parsing. Applications should use bind
variables, which will make them impervious to SQL injection attacks. Here is
the famous "little Bobby tables" XKCD comic: https://xkcd.com/327/
On 03/22/2017 05:04 PM, Upendra nerilla wrote:
Thanks much Mark and Rob for the information.
These documents are great.. I will share them with the Development teams.
What I am also looking at from monitoring perspective, if there is a way to
monitor/identify poorly written queries (candidates for SQL injection).. anyone
using any specific way (processes/scripts/manual) to capture the candidate
queries?
Thanks
-Upendra
________________________________
From: Mark W. Farnham <mwf@xxxxxxxx><mailto:mwf@xxxxxxxx>
Sent: Tuesday, March 21, 2017 8:42 AM
To: nupendra@xxxxxxxxxxx<mailto:nupendra@xxxxxxxxxxx>; 'Oracle-L'
Subject: RE: SQL Injection monitoring/protection tools
Protection protocol:
Read Bryn Llewellyn’s paper on writing PL/SQL correctly to prevent injection.
Follow Bryn’s rules for things that are allowed to attach to your database.
Overly simple: perhaps. Effective? Definitely.
Allow folks to bend Bryn’s rules? Then you have entered the np incomplete
problem space of intrusion detection. Good luck.
mwf
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Upendra nerilla
Sent: Monday, March 20, 2017 11:06 PM
To: Oracle-L
Subject: SQL Injection monitoring/protection tools
Hello everyone -
I am interested in finding what kind of tools folks are using to defend against
SQL injection type attacks?
I have seen the capabilities of Database Firewall from various documents, seems
to have nice features.
Have seen the following page listing a few other options:
https://en.wikipedia.org/wiki/Web_application_firewall
Could you please share any feedback on any tools/strategy anyone is using..
Much appreciated
-Upendra
--
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217
