| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection in HTML DB prevention
I'm sure others more knowlegable will jump in, but one thing I noticed is
you're line ...
IF substr(clause,1,8) = '1=1 and ' THEN
If the injector puts any combination of spaces around the equal sign (or anywhere else), you won't catch it. So, go ahead and strip out all whitespace (not just space characters) and test for ... IF substr(clause,1,6) = '1=1and' THEN
Of course, if the injector uses 2=2 or something else, it's still no good. Can you use bind variables instead? Also, consider stripping out comment characters.
Thanks,
Jon Knight
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
On Behalf Of William B Ferguson
Sent: Monday, April 18, 2005 12:30 PM To: oracle-l_at_freelists.org Subject: SQL Injection in HTML DB prevention
Hi all,
I just posted this over in the HTML DB discussion forum, but thought I'd post over here as well, as many of you seem to be really up on this stuff.
I've searched all the forums and the asktom site, and I can't seem to find the answer to THIS particular problem. It was a rough weekend though and I got less than two hours of sleep last, so maybe I'm not comprehending something fully. Hopefully I can explain this okay.
I'm creating pages for the users to enter (or select if applicable) filter 'keywords' from around 30 different tables, and I'm building a where clause for the select statements.
Keeping it simple, and just using one of the free-form text fields, I'm doing this:
:P400_NAME := regexp_replace(:P400_NAME, '[''''|"|;]');
-- strips out single and double-quotes and semi-colon
IF :P400_NAME is not null THEN
clause := clause||' and upper(name) LIKE '''||upper(:P400_NAME)||'''';
END IF;
then later in the same code:
IF substr(clause,1,8) = '1=1 and ' THEN
clause := substr(clause,9);
table_name = 'Deposits';
END IF;
:F121_DEPOSIT_WHERE_CLAUSE := clause;
Finally, to display the records, the code looks like
SELECT field1, field2, etc. from DEPOSITS WHERE &F121_DEPOSIT_WHERE_CLAUSE. Am I missing anything else that's obvious (or even not obvious)?
I 'think' that I just need to strip out punctuation characters that could cause an error, but I do want to allow the '%' wildcard character.
Thanks guys,
-- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-lReceived on Mon Apr 18 2005 - 13:47:29 CDT
 |
 |