Database Reference
In-Depth Information
And voilà! We have DBA:
DEVACCT@ORA12CR1> select * from session_roles;
no rows selected
DEVACCT@ORA12CR1> exec eoda.inj( sysdate )
select username
from all_users
where created =
''union select devacct.foo from dual--'
.....
PL/SQL procedure successfully completed.
DEVACCT@ORA12CR1> connect devacct/foobar
Connected.
DEVACCT@ORA12CR1> select * from session_roles;
ROLE
-------------------------------------------------------------------------------
DBA
SELECT_CATALOG_ROLE
...
XS_RESOURCE
OLAP_DBA
24 rows selected.
■
Tip
Query
ROLE_ROLE_PRIVS
to view which roles are granted to other roles.
So, how could you have protected yourself? By using bind variables. For example:
EODA@ORA12CR1> create or replace procedure NOT_inj( p_date in date )
2 as
3 l_username all_users.username%type;
4 c sys_refcursor;
5 l_query varchar2(4000);
6 begin
7 l_query := '
8 select username
9 from all_users
10 where created = :x';
11
12 dbms_output.put_line( l_query );
13 open c for l_query USING P_DATE;
14
