Re: pl/sql constructing singlequote string?
From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Mon, 20 Oct 2003 00:19:48 +0100
Message-ID: <ymUAzNBUwxk$Ewwp_at_peterfinnigan.demon.co.uk>
Date: Mon, 20 Oct 2003 00:19:48 +0100
Message-ID: <ymUAzNBUwxk$Ewwp_at_peterfinnigan.demon.co.uk>
Hi
Just add an additional single quote. You may be interested in a couple of papers i wrote about SQL injection and Oracle that are possible when you use dynamic sql and pl/sql. client apps can be injected just as easily as web apps! You may want to consider bind variables. You will find links to the papers on http://www.petefinnigan.com/orasec.htm - they are near the top of the page.
kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Mon Oct 20 2003 - 01:19:48 CEST