RE: SQL Injection Concern

  • From: Sarah Satterthwaite <ssatterthwaite@xxxxxxxxxxx>
  • To: "'DGoulet@xxxxxxxx'" <DGoulet@xxxxxxxx>, jknight@xxxxxxxxxxxxxx, oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 10 Jan 2005 11:55:57 -0500


Would this table be a good candidate for auditing of inserts, updates and
deletes?  That would tell you when you have a problem, but would miss the
first occurrence of the problem.

Sarah Satterthwaite
Fiserv CSW

-----Original Message-----
From: Goulet, Dick [mailto:DGoulet@xxxxxxxx]
Sent: Monday, January 10, 2005 11:42 AM
To: jknight@xxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: SQL Injection Concern


        Yes that is a concern.  In our case data that goes into a table
is only data to be passed to the procedure, not part of an execute

Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx]=20
Sent: Monday, January 10, 2005 11:33 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: SQL Injection Concern

  We've got a table listing stored programs that need to execute after
various application activity.  My first thought is to just use "execute
immediate" on the stored program.  But this will allow anyone to insert
row into our table and execute arbitrary code.  I'm interested in any
suggestions or solutions you've implemented to tighten up security in
such a

Jon Knight
Senior Database Analyst
2525 Horizon Lake Drive, Suite 120
Memphis, TN  38133
901.371.8000 - Phone
800.238.7675 - Phone
901.380.8336 - Fax
First Data's merger with Concord creates "One Company" with enhanced
voice and innovation for all customers.


Other related posts: