New form of sql injection hack documented

From: Adams, Matthew (GE Indust, ConsInd) <MATT.ADAMS_at_GE.COM>
Date: Fri, 25 Apr 2008 10:07:39 -0400
Message-ID: <>

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read.

Matt Adams - GE Consumer and Industrial
Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa

-- Received on Fri Apr 25 2008 - 09:07:39 CDT

Original text of this message