Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: bind variables/injection attacks

Re: bind variables/injection attacks

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: Fri, 12 Oct 2007 07:40:32 -0700
Message-ID: <1192200032.067695.39830@i38g2000prf.googlegroups.com> 





On Oct 12, 8:04 am, Jake <jgarfi..._at_earthlink.net> wrote:


> Is the usage of bind variables sufficient to prevent injection

> attacks?

>

> In other words, if I use bind variables for all inputs coming from the

> user, is there any way that I could have a problem with injection

> attacks still?




The use of bind variables alone will not 100% eliminate the risk of
SQL injection attacks since the database itself has a few modules
(packages) subject to SQL injection attack.



The application needs to use prepared SQL with bind variables and the
program should be written such that the data value input length is
limited to the allowable length of acceptable values for the field.
This will pretty much prevent SQL injection attacks from succeeding.



Just as importantly the Oracle security needs to be paid careful
attention to so that application and/or user's have only those
privileges needed and no more.  Avoid granting any of the ANY object
privileges: select any table, delete any table, create any procedure,
etc...  The security bugs in Oracle usually depend on or derive from
having these privileges.



HTH -- Mark D Powell --
Received on Fri Oct 12 2007 - 09:40:32 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US