Re: SQL Injection monitoring/protection tools

From: Mladen Gogala <gogala.mladen_at_gmail.com>
Date: Sat, 25 Mar 2017 17:56:13 -0400
Message-ID: <7f4c3811-33d2-9e04-e9ae-09ae541c3040_at_gmail.com>

SQL Injection is only possible in the applications which use string concatenation with the fields from web forms, to create SQL which will then be executed. In addition to being prone to SQL injection, like in the famous "Bobby tables" comic, this also doesn't perform well, because the generated SQL uses constants and needs to undergo hard parsing. Applications should use bind variables, which will make them impervious to SQL injection attacks. Here is the famous "little Bobby tables" XKCD comic: https://xkcd.com/327/

On 03/22/2017 05:04 PM, Upendra nerilla wrote:
>
> Thanks much Mark and Rob for the information.
>
>
> These documents are great.. I will share them with the Development teams.
>
>
> What I am also looking at from monitoring perspective, if there is a
> way to monitor/identify poorly written queries (candidates for SQL
> injection).. anyone using any specific way (processes/scripts/manual)
> to capture the candidate queries?
>
>
> Thanks
> -Upendra
>
>
> ------------------------------------------------------------------------
> *From:* Mark W. Farnham <mwf_at_rsiz.com>
> *Sent:* Tuesday, March 21, 2017 8:42 AM
> *To:* nupendra_at_hotmail.com; 'Oracle-L'
> *Subject:* RE: SQL Injection monitoring/protection tools
>
> Protection protocol:
>
> Read Bryn Llewellyn�s paper on writing PL/SQL correctly to prevent
> injection.
>
> Follow Bryn�s rules for things that are allowed to attach to your
> database.
>
> Overly simple: perhaps. Effective? Definitely.
>
> Allow folks to bend Bryn�s rules? Then you have entered the np
> incomplete problem space of intrusion detection. Good luck.
>
> mwf
>
> *From:*oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] *On Behalf Of *Upendra nerilla
> *Sent:* Monday, March 20, 2017 11:06 PM
> *To:* Oracle-L
> *Subject:* SQL Injection monitoring/protection tools
>
> Hello everyone -
>
> I am interested in finding what kind of tools folks are using to
> defend against SQL injection type attacks?
>
> I have seen the capabilities of Database Firewall from various
> documents, seems to have nice features.
>
> Have seen the following page listing a few other options:
>
> https://en.wikipedia.org/wiki/Web_application_firewall
>
> Could you please share any feedback on any tools/strategy anyone is
> using..
>
> Much appreciated
>
> -Upendra
>

-- 
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217


--
http://www.freelists.org/webpage/oracle-l

Received on Sat Mar 25 2017 - 22:56:13 CET

This message: [ Message body ]
Next message: Powell, Mark: "Re: SQL Injection monitoring/protection tools"
Previous message: Mladen Gogala: "Re: DB snap clone on non emc san, is it possible?"
Maybe in reply to: Upendra nerilla: "SQL Injection monitoring/protection tools"
In reply to Powell, Mark: "Re: Privilege"
Next in thread: Powell, Mark: "Re: SQL Injection monitoring/protection tools"
Reply: Powell, Mark: "Re: SQL Injection monitoring/protection tools"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message