Databases Reference
In-Depth Information
• Use this "fully qualiied". Fully qualiied means that you need to preix this
package with
sys
. This avoids the opportunity for hackers to make a local
package with the same name.
SQL injection
The following screenshot is taken from
http://xkcd.com/327
:
SQL injection is a technique for maliciously exploiting applications that use client-
supplied data in SQL statements. SQL injection can be used to "inject" SQL code. This
SQL code can be used to create and delete objects or to access data at unauthorized
locations. Attackers trick the SQL engine into executing unintended commands.
When using dynamic SQL (
DBMS_SQL
), you need to be aware of SQL injection. Web
applications are at a higher risk, because an attack can occur without database
connection or application authentication.
Some standard rules must be observed to prevent SQL Injection:
•
Use of the bind variable syntax
. The use of bind variables is important in
the use of static and dynamic SQL. Its usage decreases the change for SQL
injection and improves performance.
•
Make use of the
SYS.DBMS_ASSERT
Oracle package
: This package includes
functions to check and validate user input.
•
Check of parentheses and commentary (
-
/
**
)
: When literals are used,
enclose them in double quotes. (A document providing an example can be
found at the My Oracle Support website:
Doc ID # 101458.1
:
How to change
user password
.)
•
Dismiss database privileges that are not necessary
: Give away as little as
possible from yourself. This does not eliminate SQL injection, but helps to
restrict the impact of a possible attack.
