Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Securing forms over Oracle 10gAS

RE: Securing forms over Oracle 10gAS

From: Reidy, Ron <Ron.Reidy_at_arraybiopharma.com>
Date: Fri, 17 Mar 2006 13:22:21 -0700
Message-ID: <7209E76DACFED9469D4F5169F9880C7A0C7A7F@mail01bldr.arraybp.com>


Paula,  

I think writing the rules to prevent SQL injection for mod_security would be the never ending, always incomplete job.  

If you want to protect against SQL injection, you will need to validate all input and always use bind variables. I know this sounds overly simplistic, but check out the results of this Google search: http://www.google.com/search?q=sql+injection+oracle&sourceid=mozilla-sea rch&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:e n-US:official  

Securing Apache is a large subject. Adding Oracle to the equation just increases the complexity of the issue, because of the things you should lock down on the database and database software sides. I think using mod_security is a step in the right direction, but, you should also consider installing Apache on a different sever, or at least, a separate ORACLE_HOME, and putting it in a jail.  

Just my $0.02.  

--

Ron Reidy
Lead DBA
Array BioPharma, Inc  

-----Original Message-----

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Stankus, Paula Sent: Friday, March 17, 2006 12:00 PM
To: ora_forum_at_yahoo.com; oracle-l_at_freelists.org Subject: RE: Securing forms over Oracle 10gAS

We wish to secure forms over 10gAS from SQL injection... while providing internet access. We are experimenting with mod_security.conf for Apache but when we enable it we get the forms error: FRM-92102.  

Is this the best way to secure forms and does anyone have experience configuring mod_security.conf?  

Thanks in advance.

Paula

This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

--

http://www.freelists.org/webpage/oracle-l Received on Fri Mar 17 2006 - 14:22:21 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US