RE: New form of sql injection hack documented

From: Goulet, Dick <>
Date: Fri, 25 Apr 2008 13:21:59 -0400
Message-ID: <>

I'm quite sure that David catches a lot of hate mail about his papers, probably from the hackers out there. But one very smart person in my life once said that the only "safe" database is one that has nothing in it, which is still true today. The one item that I take from all of David's findings is that we should never look at code as doing what we intended it to do, put as what could someone else make it do. I know a lot of people think that hackers are all outside the firewall which is false. The greatest threat to your database is the person in the cube next to you who has access to it.  

I believe that David is a member of the list & consequently thank him for the revelations.  

Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / Fax: 508.229.2019 / Email: 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience

[] On Behalf Of Adams, Matthew (GE Indust, ConsInd)
Sent: Friday, April 25, 2008 10:08 AM
Subject: New form of sql injection hack documented  

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read. <>  

Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

Received on Fri Apr 25 2008 - 12:21:59 CDT

Original text of this message