Databases Reference
In-Depth Information
Oracle usually runs as the
oracle
user), the compromise is “limited” to all
data in the database.
Let's bring the discussion back to SQL injection. Assume that a user is
asked to enter both the time and the time zone for a certain business trans-
action and that the FROM_TZ function is then used to “anchor” the time
based on the entered time zone. If the application does not check the input
field for a precise regular expression (e.g., [0-24]:[0-5][0-9]) and passes any
string entered by the user as an argument in the function call, then you
have a serious vulnerability.
5.4.2
Implementation options: Patches and
best practices
There is really nothing new under the sun in this case. The key elements in
protecting yourself against this double whammy are the following:
Track security advisories
. Apply patches when they are available, and
when they are not, check the SQL calls to see if your applications use
vulnerable resources. In the example shown here, you could have
looked at the SQL being utilized by the application and determined
whether the application uses FROM_TZ. If so, you should have
looked closely at the application code to check whether that portion
is vulnerable to a SQL injection attack, or you should have replaced
the use of that function.
Protect yourself against SQL injection attacks using all of the implemen-
tation options listed in the previous section
. While in this case the vul-
nerability is not based on string concatenation, and therefore most of
the options will not help much, some will. As an example, the hacker
may need to carefully build an attack string and will need numerous
attempts to plant the code to jump to. This may give you a chance to
discover the attack and initiate an incident response process.
5.5
Don't consider eliminating the application
server layer
After seeing so many problems that occur at the application layer, you may
be tempted to say that you might as well write and deploy the application
code directly within the database server using packages and extensions pro-
vided by the database vendor. Some of the experts may even try to convince
Search WWH ::
Custom Search