| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: SQL Injection Concern
Hi,
You might be interested in the two part paper I wrote about SQL
Injection in Oracle.
You can find them at http://www.petefinnigan.com/orasec.htm - I have
also talked about SQL injection a few times in my Oracle security weblog
- you can find the links on my archive page
http://www.petefinnigan.com/weblog/archives/ - There is also a search box on there.
The issue of making a table truly read only was done to death a couple of months or so ago on one of the lists - I think c.d.o.s - Howard wrote a paper about it as well - which you can find at http://www.dizwell.com/ html/read-only_tables.html - I also talked about this subject again in my Oracle security weblog.
What is the solution? - As Jared suggests bind variables are a great step forwards. Do not allow anyone to insert text that can be added to a dynamic SQL statement - filter any input or updates to the table in question - although this is usually futile as its virtually impossible to filter for bad input as the known list of "bad things" can easily be added to by creative people. It is better to concentrate on a "white" list of "good" input. i.e. clearly design allowed statements and ensure that input matches the rules.
hope this helps a bit
Kind regards
Pete
-- Pete Finnigan (email:pete_at_petefinnigan.com) Web site: http://www.petefinnigan.com - Oracle security audit specialists Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- http://www.freelists.org/webpage/oracle-lReceived on Mon Jan 10 2005 - 16:43:39 CST
 |
 |