Re: New form of sql injection hack documented
From: David Aldridge <david_at_david-aldridge.com>
Date: Sun, 27 Apr 2008 18:12:24 -0700 (PDT)
Message-ID: <86457.5242.qm@web804.biz.mail.mud.yahoo.com>
Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa
--
http://www.freelists.org/webpage/oracle-l Received on Sun Apr 27 2008 - 20:12:24 CDT
Date: Sun, 27 Apr 2008 18:12:24 -0700 (PDT)
Message-ID: <86457.5242.qm@web804.biz.mail.mud.yahoo.com>
So long story short ... use bind variables?
- Original Message ---- From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS_at_GE.COM> To: oracle-l_at_freelists.org Sent: Friday, April 25, 2008 10:07:39 AM Subject: New form of sql injection hack documented
FYI
yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.
it's an interesting read.
http://www.davidlitchfield.com/blog/archives/00000041.htm
Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa
--
http://www.freelists.org/webpage/oracle-l Received on Sun Apr 27 2008 - 20:12:24 CDT