Home » Other » Training & Certification » SQL injection
SQL injection [message #282911] Sun, 25 November 2007 00:04 Go to next message
riteshu
Messages: 5
Registered: May 2005
Junior Member
Hi All,

Im not sure if this is the right forum but i hope someone can clear my problem

I have a parameterized query like

SELECT * FROM USER_DATA WHERE LAST_NAME = ?

Is there any way to do SQL injection. Im supposed to get all data from the table USER_DATA. Or can I get a subset of whole table data?

Its part of a lab assignment which I have been trying but everywhere I see they seem to say that parameterized queries are used to save from SQL injection
Re: SQL injection [message #282924 is a reply to message #282911] Sun, 25 November 2007 02:58 Go to previous messageGo to next message
Frank
Messages: 7880
Registered: March 2000
Senior Member
Do you know what SQL injection is? Either I get your question wrong, or you have the wrong idea about SQL injection.
Re: SQL injection [message #282926 is a reply to message #282924] Sun, 25 November 2007 03:14 Go to previous messageGo to next message
riteshu
Messages: 5
Registered: May 2005
Junior Member
well, I know if it is dynamic sql we can "inject" another sql into the query, like

select *
from tab
where column1 = smith
or 1=1;
--where i send smith' or '1'='1 as input and the 1=1 lets me get all rows from the table

well, the assignment im working on has 2 stages where the above worked for the first case.

now in the second, since the query is parameterized, Id like to know if something like the above can be done to get all rows from the table or should I be looking at a different approach?

As expected, the above does not work since it checks the column value with the whole string.

I hope I am more clear this time.

Thnx
Re: SQL injection [message #282927 is a reply to message #282911] Sun, 25 November 2007 03:15 Go to previous messageGo to next message
Michel Cadot
Messages: 64103
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
You can't have SQL injection with a query like that.

Regards
Michel
Re: SQL injection [message #283840 is a reply to message #282926] Wed, 28 November 2007 04:57 Go to previous messageGo to next message
PeakConsulting
Messages: 20
Registered: November 2007
Location: Suite 6, 2 Hornsey Street...
Junior Member
riteshu wrote on Sun, 25 November 2007 03:14

well, I know if it is dynamic sql we can "inject" another sql into the query, like

select *
from tab
where column1 = smith
or 1=1;
--where i send smith' or '1'='1 as input and the 1=1 lets me get all rows from the table

well, the assignment im working on has 2 stages where the above worked for the first case.

now in the second, since the query is parameterized, Id like to know if something like the above can be done to get all rows from the table or should I be looking at a different approach?

As expected, the above does not work since it checks the column value with the whole string.

I hope I am more clear this time.

Thnx



As far as I know SQL injection can't be performed for the 2nd stage

[Updated on: Wed, 28 November 2007 05:43] by Moderator

Report message to a moderator

Re: SQL injection [message #284016 is a reply to message #283840] Wed, 28 November 2007 10:33 Go to previous message
Frank
Messages: 7880
Registered: March 2000
Senior Member
SQL-injection can only happen (in Oracle) if you concatenate your sql statement with entries from 'the outside world'.
As long as you use bind variables, no worries for SQL-injection.
Previous Topic: Oracle Apps :Certifications ?
Next Topic: query for commission value
Goto Forum:
  


Current Time: Sun Dec 04 12:59:53 CST 2016

Total time taken to generate the page: 0.07896 seconds