Re: SQL Injection Concern

  • From: Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 10 Jan 2005 22:43:03 +0000


You might be interested in the two part paper I wrote about SQL
Injection in Oracle. 
You can find them at - I have
also talked about SQL injection a few times in my Oracle security weblog
- you can find the links on my archive page - There is also a search
box on there.

The issue of making a table truly read only was done to death a couple
of months or so ago on one of the lists - I think c.d.o.s - Howard wrote
a paper about it as well - which you can find at
html/read-only_tables.html - I also talked about this subject again in
my Oracle security weblog.

What is the solution? - As Jared suggests bind variables are a great
step forwards. Do not allow anyone to insert text that can be added to a
dynamic SQL statement - filter any input or updates to the table in
question - although this is usually futile as its virtually impossible
to filter for bad input as the known list of "bad things" can easily be
added to by creative people. It is better to concentrate on a "white"
list of "good" input. i.e. clearly design allowed statements and ensure
that input matches the rules.

hope this helps a bit

Kind regards

Pete Finnigan (email:pete@xxxxxxxxxxxxxxxx)
Web site: - Oracle security audit specialists
Oracle security blog:
Book:Oracle security step-by-step Guide - see for details.


Other related posts: