RE: SQL Injection Concern

  • From: "Mercadante, Thomas F" <thomas.mercadante@xxxxxxxxxxxxxxxxx>
  • To: "'jknight@xxxxxxxxxxxxxx'" <jknight@xxxxxxxxxxxxxx>, oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 10 Jan 2005 11:48:06 -0500

Can you not control what gets put into this table?  Make it read-only?

-----Original Message-----
From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] 
Sent: Monday, January 10, 2005 11:33 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: SQL Injection Concern

  We've got a table listing stored programs that need to execute after
various application activity.  My first thought is to just use "execute
immediate" on the stored program.  But this will allow anyone to insert a
row into our table and execute arbitrary code.  I'm interested in any
suggestions or solutions you've implemented to tighten up security in such a

Jon Knight
Senior Database Analyst
2525 Horizon Lake Drive, Suite 120
Memphis, TN  38133
901.371.8000 - Phone
800.238.7675 - Phone
901.380.8336 - Fax
First Data's merger with Concord creates "One Company" with enhanced choice,
voice and innovation for all customers.


Other related posts: