Re: Execute some basic math in a single SQL
- From: Carel-Jan Engel <cjpengel.dbalert@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Tue, 27 Mar 2007 23:29:12 +0200
Reposting, including Alberto's answer, now to the list.
Of course, I forgot to hit the reply all again.
I understand this can be achieved with dynamical SQL only.
I just thought it might be right to post a little warning about SQL
injection.
Well documented this nice feature might act as a beautiful honeypot
Best regards,
Carel-Jan Engel
===
If you think education is expensive, try ignorance. (Derek Bok)
===
On Tue, 2007-03-27 at 23:23 +0200, Alberto Dell'Era wrote:
> Yes, as any dynamic sql solution, but there's not other way
> to do what the OP was asking for - and it is obviously a
> proof-of-concept, not a ready-for-production solution.
>
> To iron the solution, one could, for example, install eval()
> on a dedicated schema, without any privilege whatsoever
> besides the one(s?) needed to read from dual (or maybe
> even using a custom mydual and revoke the select priv from
> dual, if possible), no object in the schema, etcetera;
> maybe even logging any error in the alert log to catch
> the hacker with his hands in the jar. But, those are trivial
> tricks that anyone should immediately think about in a
> knee-jerk reaction when stumbling on dynamic sql.
>
> (You have replied to me privately, not to the whole Oracle-L;
> feel free to post this and your caveat on the list if you feel like)
>
> bye
> Alberto
>
>
> On 3/27/07, Carel-Jan Engel <cjpengel.dbalert@xxxxxxxxx> wrote:
>
> This is lovely for SQL injection attacks!
>
> On Tue, 2007-03-27 at 20:45 +0200, Alberto Dell'Era wrote:
>
> > I'do go with something like
> >
> > create or replace function eval (expr varchar2)
> > return number
> > deterministic
>
> <snip to avoid overquoting>
Other related posts:
