Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection Concern

RE: SQL Injection Concern

From: <J.Velikanovs_at_alise.lv>
Date: Mon, 10 Jan 2005 19:49:48 +0200
Message-ID: <OF5A6A6860.192E8ABF-ONC2256F85.0060F1C6-C2256F85.00624991@alise.lv> 





>A read-only table is new to me.  How do I make it read only?  By putting 

it


>in a read only tablespace?  Or, is there another way?

For example you can simulate RO using TRIGGER like below:
CREATE OR REPLACE TRIGGER make_table_ro


 BEFORE INSERT OR DELETE OR UPDATE



 ON your_table


BEGIN



raise_application_error(-20101, 'Table is read-only');
END;



/



PS RO Tablespace is the real solution.



J.



On 2005.01.10 19:24:56 oracle-l-bounce wrote:



>Thanks all for the suggestions.  BTW, We have an upgrade on the way, but

>we're still on 8i ...

>

>A read-only table is new to me.  How do I make it read only?  By putting 

it


>in a read only tablespace?  Or, is there another way?

>

>Thanks,

>Jon

>

>-----Original Message-----

>From:  Mercadante, Thomas F [mailto:thomas.mercadante_at_labor.state.ny.us]

>Sent:  Monday, January 10, 2005 10:48 AM

>To:    'jknight_at_concordefs.com'; oracle-l_at_freelists.org

>Subject:       RE: SQL Injection Concern

>

>Can you not control what gets put into this table?  Make it read-only?

>

>-----Original Message-----

>From: Knight, Jon [mailto:jknight_at_concordefs.com]

>Sent: Monday, January 10, 2005 11:33 AM

>To: oracle-l_at_freelists.org

>Subject: SQL Injection Concern

>

>We've got a table listing stored programs that need to execute after

>various application activity.  My first thought is to just use "execute

>immediate" on the stored program.  But this will allow anyone to insert a

>row into our table and execute arbitrary code.  I'm interested in any

>suggestions or solutions you've implemented to tighten up security in 

such a


>situation.

>

>Thanks,

>Jon Knight

>Senior Database Analyst

>2525 Horizon Lake Drive, Suite 120

>Memphis, TN  38133

>JKnight_at_concordefs.com

>901.371.8000 - Phone

>800.238.7675 - Phone

>901.380.8336 - Fax

>www.FirstData.com

>First Data's merger with Concord creates "One Company" with enhanced 

choice,


>voice and innovation for all customers.

>

>--

>http://www.freelists.org/webpage/oracle-l

>--

>http://www.freelists.org/webpage/oracle-l



--
http://www.freelists.org/webpage/oracle-l


Received on Mon Jan 10 2005 - 11:55:27 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US