Re: SQL Server for Oracle DBAs
From: DA Morgan <damorgan_at_psoug.org>
Date: Tue, 03 Jun 2008 16:22:13 -0700
Message-ID: <1212535321.71751@bubbleator.drizzle.com>
>> http://www.oracle.com/technology/oramag/oracle/05-jan/o15asktom.html
>> "This is such an important topic, and not as many people are aware of it as
>> I thought. Before we start with an answer, let's define the term SQL
>> injection. SQL injection occurs when an application program accepts
>> arbitrary SQL from an untrusted source (think "end user"), blindly adds it
>> to the application's SQL, and executes it. It "
>> Like I said - SQL Injection and the link you posted is all about coder
>> problems; sloppy coding leads to SQL injection attacks - common to all
>> databases.
>>
>> Seriously, if you don't know what SQL Injection is - what the hell are you
>> doing teaching?
>>
Date: Tue, 03 Jun 2008 16:22:13 -0700
Message-ID: <1212535321.71751@bubbleator.drizzle.com>
joel garry wrote:
> On Jun 3, 1:00 pm, "Tony Rogerson" <tonyroger..._at_torver.net> wrote:
>> http://www.oracle.com/technology/oramag/oracle/05-jan/o15asktom.html
>> "This is such an important topic, and not as many people are aware of it as
>> I thought. Before we start with an answer, let's define the term SQL
>> injection. SQL injection occurs when an application program accepts
>> arbitrary SQL from an untrusted source (think "end user"), blindly adds it
>> to the application's SQL, and executes it. It "
> > The Tom referred to in "asktom" has stated he enjoys explaining the > differences between Oracle and the other db engines. I suggest you > (and any other person going between engines) buy his books and study > them carefully. >
>> Like I said - SQL Injection and the link you posted is all about coder
>> problems; sloppy coding leads to SQL injection attacks - common to all
>> databases.
>>
>> Seriously, if you don't know what SQL Injection is - what the hell are you
>> doing teaching?
>>
> > I must say, I've seen lots of SQL-server and mysql and php error > messages on web pages, some definitely not a good idea.
The sad fact is that, in a sense, Tony is correct. When people want to attack SQL Server they often do so by attacking Windows or the domain controller and take over everything. Why waste time going after the database, alone, when you can compromise the entire enterprise with such ease.
-- Daniel A. Morgan Oracle Ace Director & Instructor University of Washington damorgan_at_x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.orgReceived on Tue Jun 03 2008 - 18:22:13 CDT