Table of Contents
OVERVIEW ........................................................................................................................... 5
Introduction ..................................................................................................................... 5
SQL Injection Overview ..................................................................................................... 5
SQL Injection: Oracle versus Other Databases ....................................................................... 5
Application Development .................................................................................................... 6
SQL INJECTION .................................................................................................................... 6
Introduction ..................................................................................................................... 6
Categories of SQL Injection Attacks ..................................................................................... 6
What’s Vulnerable ............................................................................................................. 7
What’s Not Vulnerable ....................................................................................................... 7
SQL INJECTION METHODS ....................................................................................................... 8
SQL Manipulation .............................................................................................................. 8
Code Injection.................................................................................................................. 9
Function Call Injection ....................................................................................................... 9
Buffer Overflows .............................................................................................................. 11
PL/SQL ........................................................................................................................... 12
Overview........................................................................................................................ 12
Execute Immediate Statement ........................................................................................... 12
DBMS_SQL Package ......................................................................................................... 13
Dynamic Cursors ............................................................................................................. 15
JDBC .............................................................................................................................. 16
Overview........................................................................................................................ 16
PreparedStatement .......................................................................................................... 16
CallableStatement ........................................................................................................... 17
PROTECTING AGAINST SQL INJECTION ...................................................................................... 18
Bind Variables ................................................................................................................. 18
Input Validation ............................................................................................................... 18
Function Security ............................................................................................................. 18
Error Messages................................................................................................................ 19
COMMON EXCEPTIONS ........................................................................................................... 20
Dynamic Table Names and Where Clauses ........................................................................... 20
Like Clauses ................................................................................................................... 20
Dynamic Procedure and Function Calls ................................................................................ 20
ORACLE FUNCTIONS ............................................................................................................. 22
Determine Function Privileges ............................................................................................ 22
Restricting Access to Functions .......................................................................................... 22
Standard Functions .......................................................................................................... 22
Oracle Supplied Functions ................................................................................................. 22
Custom Application Functions ............................................................................................ 23