Re: New form of sql injection hack documented

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Mon, 28 Apr 2008 06:41:10 +0100
Message-ID: <7765c8970804272241m46338834g25172dede7b12c50@mail.gmail.com>


As in wwv_execute_immediate, perhaps.

Niall

On Mon, Apr 28, 2008 at 5:40 AM, Robert Freeman <robertgfreeman_at_yahoo.com> wrote:

> and be wary of any dynamic SQL! :-) That execute immediate stuff scares
> the willies out of me! :)
>
> Robert G. Freeman
> Author:
> Oracle Database 11g New Features (Oracle Press)
> Portable DBA: Oracle (Oracle Press)
> Oracle Database 10g New Features (Oracle Press)
> Oracle9i RMAN Backup and Recovery (Oracle Press)
> Oracle9i New Feature
> Blog: http://robertgfreeman.blogspot.com (Oracle Press)
>
> ----- Original Message ----
> From: David Aldridge <david_at_david-aldridge.com>
> To: oracle-l_at_freelists.org
> Sent: Sunday, April 27, 2008 7:12:24 PM
> Subject: Re: New form of sql injection hack documented
>
> So long story short ... use bind variables?
>
> ----- Original Message ----
> From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS_at_GE.COM>
> To: oracle-l_at_freelists.org
> Sent: Friday, April 25, 2008 10:07:39 AM
> Subject: New form of sql injection hack documented
>
> FYI
>
> yesterday, david litchfield released a paper describing how a sql
> injection attack could be done on a pl/sql routine that does dynamic
> statement creation, even if the routine has no parameters and no user
> interaction.
>
> it's an interesting read.
>
> *http://www.davidlitchfield.com/blog/archives/00000041.htm*<http://www.davidlitchfield.com/blog/archives/00000041.htm>
>
> ----
> Matt Adams - GE Consumer and Industrial
> Database Administration
> It will make sense as soon as you stop thinking logically
> and start thinking oracle-ly. - Jim Droppa
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Apr 28 2008 - 00:41:10 CDT

Original text of this message