Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: SQL Injection in HTML DB prevention

Re: SQL Injection in HTML DB prevention

From: david wendelken <davewendelken_at_earthlink.net>
Date: Mon, 18 Apr 2005 11:39:24 -0700 (PDT)
Message-ID: <29794013.1113849564214.JavaMail.root@huey.psp.pas.earthlink.net> 






Using your approach, a user doing a search for an employee named Maureen O'Hara would never find a match.
Your page would issue a search for Maureen OHara and not find a match.



A simple replace function will not understand the difference between syntax punctuation and data punctuation inside a quoted string.  You'll need a smarter custom parsing function for that.



I don't think that's what you are aiming for.



You're concerned that your page, along with a sneaky user, would issue a statement like this:



select * from some_table


where 1 = 1; delete some_other_table;



And somehow, both statements would get issued?  Depends on the back-end code, but doesn't seem too likely.
You could test for it to make sure.



Or:



select aa,bb from some_table


where 1 = 1 union all select id, password from some_userpassword_table;



This one would be more likely.  Making sure a union isn't in the statement would prevent that.
Of course, it would also prevent legitimate uses of a union (assuming that there are any).



Hope this helps.









--
http://www.freelists.org/webpage/oracle-l


Received on Mon Apr 18 2005 - 14:45:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US