Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection in HTML DB prevention

RE: SQL Injection in HTML DB prevention

From: Lex de Haan <lex.de.haan_at_naturaljoin.nl>
Date: Mon, 18 Apr 2005 20:49:04 +0200
Message-Id: <20050418184904.967148011A56@smtp-out3.tiscali.nl>


in Oracle 10g, you can make this injection slightly more complicated by using the quote operator. assuming that the application users don't see (and cannot trace!) the generated SQL, they have to try many things. but I agree with David; this is not a simple replace problem.
cheers,

Lex.  



Visit my website at http://www.naturaljoin.nl

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of david wendelken
Sent: Monday, April 18, 2005 20:39
To: oracle-l_at_freelists.org
Subject: Re: SQL Injection in HTML DB prevention

Using your approach, a user doing a search for an employee named Maureen O'Hara would never find a match.
Your page would issue a search for Maureen OHara and not find a match.

A simple replace function will not understand the difference between syntax punctuation and data punctuation inside a quoted string. You'll need a smarter custom parsing function for that.

I don't think that's what you are aiming for.

You're concerned that your page, along with a sneaky user, would issue a statement like this:

select * from some_table
where 1 = 1; delete some_other_table;

And somehow, both statements would get issued? Depends on the back-end code, but doesn't seem too likely.
You could test for it to make sure.

Or:

select aa,bb from some_table
where 1 = 1 union all select id, password from some_userpassword_table;

This one would be more likely. Making sure a union isn't in the statement would prevent that.
Of course, it would also prevent legitimate uses of a union (assuming that there are any).

Hope this helps.

--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Mon Apr 18 2005 - 14:53:12 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US