Re: New form of sql injection hack documented
- From: Robert Freeman <robertgfreeman@xxxxxxxxx>
- To: david@xxxxxxxxxxxxxxxxxx, oracle-l@xxxxxxxxxxxxx
- Date: Sun, 27 Apr 2008 21:40:24 -0700 (PDT)
and be wary of any dynamic SQL! :-) That execute immediate stuff scares the
willies out of me! :)
Robert G. Freeman
Author:
Oracle Database 11g New Features (Oracle Press)
Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press)
Oracle9i RMAN Backup and Recovery (Oracle Press)
Oracle9i New Feature
Blog: http://robertgfreeman.blogspot.com (Oracle Press)
----- Original Message ----
From: David Aldridge <david@xxxxxxxxxxxxxxxxxx>
To: oracle-l@xxxxxxxxxxxxx
Sent: Sunday, April 27, 2008 7:12:24 PM
Subject: Re: New form of sql injection hack documented
So long story short ... use bind variables?
----- Original Message ----
From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS@xxxxxx>
To: oracle-l@xxxxxxxxxxxxx
Sent: Friday, April 25, 2008 10:07:39 AM
Subject: New form of sql injection hack documented
FYI
yesterday, david litchfield released a paper describing how a sql injection
attack could be done on a pl/sql routine that does dynamic statement creation,
even if the routine has no parameters and no user interaction.
it's an interesting read.
http://www.davidlitchfield.com/blog/archives/00000041.htm
----
Matt Adams - GE Consumer and Industrial
Database Administration
It will make sense as soon as you stop thinking logically
and start thinking oracle-ly. - Jim Droppa
Other related posts:
