Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection Concern

RE: SQL Injection Concern

From: Mercadante, Thomas F <thomas.mercadante_at_labor.state.ny.us>
Date: Mon, 10 Jan 2005 11:48:06 -0500
Message-ID: <C9995D8C5E0DDA4A8FF9D68EE666CE0702A97200@exchsen0a1ma> 





Can you not control what gets put into this table?  Make it read-only?



-----Original Message-----



From: Knight, Jon [mailto:jknight_at_concordefs.com] 
Sent: Monday, January 10, 2005 11:33 AM


To: oracle-l_at_freelists.org


Subject: SQL Injection Concern



  We've got a table listing stored programs that need to execute after
various application activity.  My first thought is to just use "execute
immediate" on the stored program.  But this will allow anyone to insert a
row into our table and execute arbitrary code.  I'm interested in any
suggestions or solutions you've implemented to tighten up security in such a
situation.



Thanks,


Jon Knight


Senior Database Analyst


2525 Horizon Lake Drive, Suite 120


Memphis, TN  38133


JKnight_at_concordefs.com

901.371.8000 - Phone
800.238.7675 - Phone
901.380.8336 - Fax
www.FirstData.com




First Data's merger with Concord creates "One Company" with enhanced choice,
voice and innovation for all customers.



--



http://www.freelists.org/webpage/oracle-l


--



http://www.freelists.org/webpage/oracle-l
Received on Mon Jan 10 2005 - 10:48:46 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US