Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection in HTML DB prevention

RE: SQL Injection in HTML DB prevention

From: William B Ferguson <wbfergus_at_usgs.gov>
Date: Mon, 18 Apr 2005 11:57:32 -0600
Message-ID: <OF7C0C2DA4.4D3B22C0-ON06256FE7.0061678C@usgs.gov>


Well, it's not giving me any trouble. If I supply : 'or "2=2" etc.;
To the :P400_NAME field, the single/double quotes and the semi-colon are stripped out.

&F121_DEPOSIT_WHERE_CLAUSE starts off with it's default value of '1=1', so if the user never specifies anything, my 'built' where clause doesn't die.

Everything is working fine, but I just want to ensure that I'm covering my bases (besides other things), to prevent somebody from supplying data that would enable SQL Injection into my query string. (Just got an email over the weekend to ensure that all systems are designed to prohibit this, from headquarters).

I just started reading about it this morning, and my brain isn't functioning to well today. I understand the basic principles (I think), which is why I'm stripping out the punctuation which could cause an error. I'm not sure if I'm missing anything else that I should strip out (if present) as well. I started out using the :punct: regular expression class, but that removed the wildcard as well, which I want to keep.

Thanks.



Bill Ferguson
U.S. Geological Survey - Minerals Information Team PO Box 25046, MS-750
Denver, Colorado 80225
Voice (303)236-8747 ext. 321 Fax (303)236-4208

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of davewendelken_at_earthlink.net Sent: Monday, April 18, 2005 11:39 AM
To: oracle-l_at_freelists.org
Subject: Re: SQL Injection in HTML DB prevention

Why don't you show us the value of &F121_DEPOSIT_WHERE_CLAUSE that's giving you trouble, and what text you started from?

And I guess it's not really clear to me what the problem is you are asking about!

--

http://www.freelists.org/webpage/oracle-l
--

http://www.freelists.org/webpage/oracle-l Received on Mon Apr 18 2005 - 14:03:33 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US