Re: SQL Injection monitoring/protection tools

• From: Mladen Gogala <gogala.mladen@xxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Sat, 25 Mar 2017 17:56:13 -0400

SQL Injection is only possible in the applications which use string concatenation with the fields from web forms, to create SQL which will then be executed. In addition to being prone to SQL injection, like in the famous "Bobby tables" comic, this also doesn't perform well, because the generated SQL uses constants and needs to undergo hard parsing. Applications should use bind variables, which will make them impervious to SQL injection attacks. Here is the famous "little Bobby tables" XKCD comic: https://xkcd.com/327/


On 03/22/2017 05:04 PM, Upendra nerilla wrote:

Thanks much Mark and Rob for the information.


These documents are great.. I will share them with the Development teams.


What I am also looking at from monitoring perspective, if there is a way to monitor/identify poorly written queries (candidates for SQL injection).. anyone using any specific way (processes/scripts/manual) to capture the candidate queries?


Thanks
-Upendra


------------------------------------------------------------------------
*From:* Mark W. Farnham <mwf@xxxxxxxx>
*Sent:* Tuesday, March 21, 2017 8:42 AM
*To:* nupendra@xxxxxxxxxxx; 'Oracle-L'
*Subject:* RE: SQL Injection monitoring/protection tools

Protection protocol:

Read Bryn Llewellyn’s paper on writing PL/SQL correctly to prevent injection.

Follow Bryn’s rules for things that are allowed to attach to your database.

Overly simple: perhaps. Effective? Definitely.

Allow folks to bend Bryn’s rules? Then you have entered the np incomplete problem space of intrusion detection. Good luck.

mwf

*From:*oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Upendra nerilla
*Sent:* Monday, March 20, 2017 11:06 PM
*To:* Oracle-L
*Subject:* SQL Injection monitoring/protection tools

Hello everyone -

I am interested in finding what kind of tools folks are using to defend against SQL injection type attacks?

I have seen the capabilities of Database Firewall from various documents, seems to have nice features.

Have seen the following page listing a few other options:

https://en.wikipedia.org/wiki/Web_application_firewall

Could you please share any feedback on any tools/strategy anyone is using..

Much appreciated

-Upendra

--
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217

• Follow-Ups:
  • Re: SQL Injection monitoring/protection tools
    • From: Powell, Mark

• References:
  • SQL Injection monitoring/protection tools
    • From: Upendra nerilla
  • RE: SQL Injection monitoring/protection tools
    • From: Mark W. Farnham
  • Re: SQL Injection monitoring/protection tools
    • From: Upendra nerilla

Other related posts:

• » SQL Injection monitoring/protection tools- Upendra nerilla
• » Re: SQL Injection monitoring/protection tools- rob oraclewizard.com
• » RE: SQL Injection monitoring/protection tools- Mark W. Farnham
• » Re: SQL Injection monitoring/protection tools- Upendra nerilla
• » Re: SQL Injection monitoring/protection tools - Mladen Gogala
• » Re: SQL Injection monitoring/protection tools- Powell, Mark

1. Home
2. oracle-l
3. Archive
4. 03-2017

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---