January 25, 2004

An Introduction To SQL Injection Attacks For Oracle Developers

Ken mentioned that Stephen Kost has published a paper called "An Introduction to SQL Injection Attacks For Oracle Developers".

Its a good read, even if it is focused on Oracle developers and aimed to be more Oracle specific. If you are doing any sort of mult-tier SQL database software design and programming, you might find this paper useful.

Happy reading!

Posted by SilverStr at January 25, 2004 02:00 AM | TrackBack
Comments

Interesting read.

A couple of months ago you had a similiar link. The big difference is that this Oracle article really emphasized the importance of binding values rather then putting them directly into the SQL call. Way more secure, you get better performance because the db can cache the query optimization, and the java/perl/php/etc code calling it is so much easier to read.

When people IM me and ask how to quote a string so that it doesn't give SQL syntax errors, my recommendation is to not even try, but skip directly to bind values.

Another thing is that even if a native driver doesn't support bind values, the database driver for your programming language might implement it behind the scenes for consistency. DBI does this, anyway.

What is really annoying is see data that contains \\\\\\\\\\\\\\\\\... you just know somebody is trying to quote a string to get it to insert, but botching the data in the process. It's guaranteed that they're not going to be escaping or stripping a continuation character like a semicolon.

By the way, this popup comment window in MT is way to small for the textarea.

Posted by: Wim at January 26, 2004 10:07 AM

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/02/06/6748.aspx

Posted by: stefan demetz at February 10, 2004 04:49 AM