RE: New form of sql injection hack documented

From: Goulet, Dick <>
Date: Mon, 28 Apr 2008 11:13:32 -0400
Message-ID: <>

As well it should. An execute immediate in an anonymous PL/SQL block to rebuild indexes or the like is OK, but not in stored code since it's subject to much abuse. Pity that many of the third party vendors are not as wise.  

Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / Fax: 508.229.2019 / Email: 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience

[] On Behalf Of Robert Freeman Sent: Monday, April 28, 2008 12:40 AM
To:; Subject: Re: New form of sql injection hack documented  

and be wary of any dynamic SQL! :-) That execute immediate stuff scares the willies out of me! :)  

Robert G. Freeman
Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Feature
Blog: (Oracle Press)  

  • Original Message ---- From: David Aldridge <> To: Sent: Sunday, April 27, 2008 7:12:24 PM Subject: Re: New form of sql injection hack documented

So long story short ... use bind variables?

  • Original Message ---- From: "Adams, Matthew (GE Indust, ConsInd)" <MATT.ADAMS_at_GE.COM> To: Sent: Friday, April 25, 2008 10:07:39 AM Subject: New form of sql injection hack documented

FYI yesterday, david litchfield released a paper describing how a sql injection attack could be done on a pl/sql routine that does dynamic statement creation, even if the routine has no parameters and no user interaction.

it's an interesting read. <>  

Matt Adams - GE Consumer and Industrial Database Administration
It will make sense as soon as you stop thinking logically and start thinking oracle-ly. - Jim Droppa  

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

-- Received on Mon Apr 28 2008 - 10:13:32 CDT

Original text of this message