Database Reference
In-Depth Information
"CALL hr.hr_sec_pkg.p_select_employee_by_ln_sens(?,?,?,?,?,?,?,?,?,?)" );
...
stmt.setString( 10, "King" ); // Employees Janette and Steven King
...
while( rs.next() ) {
Iterate through the
ResultSet
using a
while
block to see all returned rows.
We can attempt a SQL injection here by replacing our previous parameter 10 setting with the
following:
stmt.setString( 10, "King' or 'a'='a" );
What we will see is that
no data is returned
, because no
EMPLOYEES
have the
LAST_NAME
{King' or
'a'='a}.
Selecting EMPLOYEES Data by RAW: Try SQL Injection
Perhaps, one might think, we can break through and accomplish SQL injection if we hand our data back
as a
RAW
and only convert it to a
VARCHAR2
at the point of making our selection (refer to the Oracle
procedure,
p_select_employee_by_raw_sens
which we described earlier and in Listing 7-16.) This
procedure call, partial Listing 7-27, attempts that strategy.
Listing 7-27.
Select by RAW Value, Sensitive Data from Employees, from
p_select_employee_by_raw_sens
stmt = ( OracleCallableStatement )conn.prepareCall(
"CALL hr.hr_sec_pkg.p_select_employee_by_raw_sens(?,?,?,?,?,?,?,?,?,?)" );
...
stmt.setRAW( 10, new RAW("King' or 'a'='a"
.getBytes()
) );
You will see that once again, our attempt at SQL injection in a stored procedure fails. It seems that
passing parameters, as opposed to embedding user-provided text in dynamic SQL, is quite resistant to
SQL injection.
Also note how we are treating the value between quotation marks as if it were already a
String
object, calling the
getBytes()
method. We saw that first in Chapter 6.
Testing Encryption Failure with New Client Keys
Perhaps you need to see this for yourself, or perhaps not. In any case, you can test calling procedures
with keys on the client that don't match what's on Oracle database: it will fail. Take note that in the Java
code thus far in the
TestOracleJavaSecure.main()
method, we have exchanged keys, and those would
continue to work. We will take a split-second to remove or disable the keys on the client. We do that with
a call to the
resetKeys()
method (see Listing 7-28).
Listing 7-28.
Test Encryption with Mixed Keys
OracleJavaSecure.resetKeys(); // Method for Chapter 7 testing only
locModulus = OracleJavaSecure.getLocRSAPubMod();
locExponent = OracleJavaSecure.getLocRSAPubExp();
We also establish new keys on the client by calling the
getLocRSAPubMod()
method, and we get the
public modulus and exponent. If we make no effort to pass these public key artifacts to Oracle database
