Databases Reference
In-Depth Information
Figure 7-1. Escape special characters
SQL Injection Attacks
SQL injection happens when a user enters a SQL statement, or a fragment of a statement, in an input
value with the intent of trying to expose security holes in an application. A simple example can be built
around an “execute immediate” block of PL/SQL used to invalidate a user input item. Suppose you had a
page item,
P1_NAME
, that used a plug-in item to call an execute immediate block using the item value as
part of the validation. The execute immediate invocation would look like the following:
execute immediate 'BEGIN some_validation_procedure (p_name => ''' || p_value || '''); END;';
If the
p_value
is “Martin”, the execute immediate block will run the following code:
BEGIN some_validation_procedure (p_name => 'Martin'); END;
At first glance, the preceding code and the example look good, but what if the user enters some
malicious code in the item value? For example, what if the user enters
'); TRUNCATE TABLE users; --
?
The execute immediate block will then run the following code:
BEGIN some_validation_procedure (p_name => ''); TRUNCATE TABLE users; --'); END;
You'll notice that this code will call
some_validation_procedure
, and then truncate a table. Besides
dropping a table, a malicious user can obtain all your data using the right techniques. SQL injection is
clearly something you want to guard against.
APEX has some functions that, when used properly, can prevent SQL injection.
APEX_PLUGIN_UTIL.EXECUTE_PLSQL_CODE
•
APEX_PLUGIN_UTIL.GET_DATA(2)
•
APEX_PLUGIN_UTIL.GET_DISPLAY_DATA(2)
•
•
APEX_PLUGIN_UTIL.GET_PLSQL_EXPRESSION_RESULT
APEX_PLUGIN_UTIL.GET_PLSQL_FUNCTION_RESULT
It's recommended that you use these functions when needed, both for security reasons and to make
your coding easier, as these functions and procedures will also enable all bind variables. For more
information, read the
APEX_PLUGIN_UTIL
API documentation.
•
