| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: PL/SQL where clause quandary
Hi Steven
I understand your quandary but I also agree with the other poster you should really get the third party app company to fix the bug rather than try and work around it. Hacking it is not the way.
BUT if you have no other choice than to hack then you could try SQL injection. If you can only edit the table name (and add as much text as you like) but not the where clause then you can pass the where clause with the table name and add a comment at the end to block out the original where clause. The issue you will have is if the two numbers given are generated by the app then how do you generate them outside the third party app and add to your new where clause. An example would be:
before :- table name passed in is "points" and it generates
select a,b from points where a = 2 and a = 10;
after :- table name passed in is "points where a is between 2 and 10;--"
select a,b from points where a is between 2 and 10;-- where a=2 and a=10;
Of course without knowing more I am not sure this would work for you.
take a look at my website http://www.petefinnigan.com/orasec.htm, there are links to three papers I have written recently about SQL injection on Oracle that may interest you.
hth
kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details.Received on Tue Sep 02 2003 - 14:16:45 CDT
 |
 |