RE: SQL Injection Concern

  • From: "Knight, Jon" <jknight@xxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Mon, 10 Jan 2005 11:24:56 -0600

Thanks all for the suggestions.  BTW, We have an upgrade on the way, but
we're still on 8i ...

A read-only table is new to me.  How do I make it read only?  By putting it
in a read only tablespace?  Or, is there another way?


 -----Original Message-----
From:   Mercadante, Thomas F [mailto:thomas.mercadante@xxxxxxxxxxxxxxxxx] 
Sent:   Monday, January 10, 2005 10:48 AM
To:     'jknight@xxxxxxxxxxxxxx'; oracle-l@xxxxxxxxxxxxx
Subject:        RE: SQL Injection Concern

Can you not control what gets put into this table?  Make it read-only?

-----Original Message-----
From: Knight, Jon [mailto:jknight@xxxxxxxxxxxxxx] 
Sent: Monday, January 10, 2005 11:33 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: SQL Injection Concern

  We've got a table listing stored programs that need to execute after
various application activity.  My first thought is to just use "execute
immediate" on the stored program.  But this will allow anyone to insert a
row into our table and execute arbitrary code.  I'm interested in any
suggestions or solutions you've implemented to tighten up security in such a

Jon Knight
Senior Database Analyst
2525 Horizon Lake Drive, Suite 120
Memphis, TN  38133
901.371.8000 - Phone
800.238.7675 - Phone
901.380.8336 - Fax
First Data's merger with Concord creates "One Company" with enhanced choice,
voice and innovation for all customers.


Other related posts: