RE: Securing forms over Oracle 10gAS

• From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
• To: <stankup@xxxxxxxxxxxxxxxxx>, <ora_forum@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Fri, 17 Mar 2006 13:22:21 -0700

Paula,
 
I think writing the rules to prevent SQL injection for mod_security
would be the never ending, always incomplete job.
 
If you want to protect against SQL injection, you will need to validate
all input and always use bind variables.  I know this sounds overly
simplistic, but check out the results of this Google search:
http://www.google.com/search?q=sql+injection+oracle&sourceid=mozilla-sea
rch&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:e
n-US:official
 
Securing Apache is a large subject.  Adding Oracle to the equation just
increases the complexity of the issue, because of the things you should
lock down on the database and database software sides.  I think using
mod_security is a step in the right direction, but, you should also
consider installing Apache on a different sever, or at least, a separate
ORACLE_HOME, and putting it in a jail.
 
Just my $0.02.
 
--
Ron Reidy
Lead DBA
Array BioPharma, Inc
 
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Stankus, Paula
Sent: Friday, March 17, 2006 12:00 PM
To: ora_forum@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Securing forms over Oracle 10gAS



We wish to secure forms over 10gAS from SQL injection... while providing
internet access.  We are experimenting with mod_security.conf for Apache
but when we enable it we get the forms error:  FRM-92102.

 

Is this the best way to secure forms and does anyone have experience
configuring mod_security.conf?

 

Thanks in advance.

Paula  


This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is 
intended 
to be for the use of the individual or entity named above. If you are not the 
intended recipient, please be aware that any disclosure, copying, distribution 
or use of the contents of this information is prohibited. Please notify the
sender  of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.

Other related posts:

• » RE: Securing forms over Oracle 10gAS
• » RE: Securing forms over Oracle 10gAS

1. Home
2. oracle-l
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---