SQL Injection is only possible in the applications which use string
concatenation with the fields from web forms, to create SQL which will
then be executed. In addition to being prone to SQL injection, like in
the famous "Bobby tables" comic, this also doesn't perform well, because
the generated SQL uses constants and needs to undergo hard parsing.
Applications should use bind variables, which will make them impervious
to SQL injection attacks. Here is the famous "little Bobby tables" XKCD
comic: https://xkcd.com/327/
On 03/22/2017 05:04 PM, Upendra nerilla wrote:
Thanks much Mark and Rob for the information.
These documents are great.. I will share them with the Development teams.
What I am also looking at from monitoring perspective, if there is a way to monitor/identify poorly written queries (candidates for SQL injection).. anyone using any specific way (processes/scripts/manual) to capture the candidate queries?
Thanks
-Upendra
------------------------------------------------------------------------
*From:* Mark W. Farnham <mwf@xxxxxxxx>
*Sent:* Tuesday, March 21, 2017 8:42 AM
*To:* nupendra@xxxxxxxxxxx; 'Oracle-L'
*Subject:* RE: SQL Injection monitoring/protection tools
Protection protocol:
Read Bryn Llewellyn’s paper on writing PL/SQL correctly to prevent injection.
Follow Bryn’s rules for things that are allowed to attach to your database.
Overly simple: perhaps. Effective? Definitely.
Allow folks to bend Bryn’s rules? Then you have entered the np incomplete problem space of intrusion detection. Good luck.
mwf
*From:*oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Upendra nerilla
*Sent:* Monday, March 20, 2017 11:06 PM
*To:* Oracle-L
*Subject:* SQL Injection monitoring/protection tools
Hello everyone -
I am interested in finding what kind of tools folks are using to defend against SQL injection type attacks?
I have seen the capabilities of Database Firewall from various documents, seems to have nice features.
Have seen the following page listing a few other options:
https://en.wikipedia.org/wiki/Web_application_firewall
Could you please share any feedback on any tools/strategy anyone is using..
Much appreciated
-Upendra