Databases Reference
In-Depth Information
Security issues
We have seen that there are many reasons to restrict the use of bind variables, from a
performance point of view. Security is also one of the reasons to use bind variables in
database applications.
Let's try to execute the stored procedure
TEST_INJECTION
in our package. This simple
procedure has a string parameter
NAME
and shows the number of customers with the
last name passed as a parameter:
SET SERVEROUTPUT ON
exec sh.CHAPTER4.TEST_INJECTION('Hanson');
exec sh.CHAPTER4.TEST_INJECTION(''' or 1=1--');
The output screen is as follows:
In the second execution, we have passed a tricky parameter value, so the query executed
from the procedure will be as follows:
SELECT COUNT(*) FROM sh.customers s
WHERE s.cust_last_name = '' or 1=1--'
This statement, due to the
1=1
condition ORed, will count every customer in the table.
We have modified the behavior of the program. Think about the consequences if a similar
procedure can access sensible data, and the name parameter is bound to a field the user
can modify in the interface. If we use bind variables, this would not happen.
In the next sample, we will use the
TEST_INJECTION2
procedure to illustrate how a
malicious user can use our application to make unwanted changes to the database.
