Re: pl/sql constructing singlequote string?

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Mon, 20 Oct 2003 00:19:48 +0100
Message-ID: <ymUAzNBUwxk$Ewwp_at_peterfinnigan.demon.co.uk>

Just add an additional single quote. You may be interested in a couple of papers i wrote about SQL injection and Oracle that are possible when you use dynamic sql and pl/sql. client apps can be injected just as easily as web apps! You may want to consider bind variables. You will find links to the papers on http://www.petefinnigan.com/orasec.htm - they are near the top of the page.

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Received on Mon Oct 20 2003 - 01:19:48 CEST

This message: [ Message body ]
Next message: Burt Peltier: "Re: ADO.NET and PL/SQL tables"
Previous message: Robert C: "Re: HTML DB - your thoughts"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message