Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re:SQL Injection and Oracle?

Re:SQL Injection and Oracle?

From: <dgoulet_at_vicr.com>
Date: Fri, 01 Feb 2002 05:43:44 -0800
Message-ID: <F001.0040323D.20020201053019@fatcity.com> 






Nope, you could do it with any sql based database unless your forms have
protection built in.  Thankfully our WEB guys did that by accident.  Namely when
they accept a data value they have certain rules that they apply to all fields,
like max length, no unlimited length fields, comment data manipulated via
procedures.  It's rather easy, but you have to design it that way.



Dick Goulet


____________________Reply Separator____________________
Author: Robert Eskridge <bryny_at_dfweahs.net>
Date:       1/31/2002 7:15 PM





Today I've seen two white papers on a technique called SQL Injection
for exploiting databases via web pages.  One of the papers was pretty
much a step by step tutorial on how to reverse engineer data
structures and have your way with a SQL Server database via ASP pages.



Both papers were ASP/SQL Server centric.  But in my quick reads, I
didn't see anything that made me think it would not work against many
HTML forms backed by CGI scripts hitting Oracle databases that I've
seen.



Am I missing something?




-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Robert Eskridge


  INET: bryny_at_dfweahs.net


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: 


  INET: dgoulet_at_vicr.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Fri Feb 01 2002 - 07:43:44 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US