DBAsupport.com Forums - Powered by vBulletin
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: SQL Injection?

  1. #1
    Join Date
    Jun 2003
    Posts
    5

    SQL Injection?

    Hello everyone,

    I believe everyone of you know what is SQL Injection.

    But i only know that SQL Injection affects databases like SQL Server 2000. But I think it affects all type of databases right!

    Can you share your experience on how SQL Injection affects your real time applications and how you would solve the problem?

    Other than SQL Injection, what other ways can people hack a database? Well, i know SQL Slammer affects SQL Server 2000, but
    does oracle had this problem?

    Any comments, please?

    Thank you.

    Regards,
    Chua Wen Ching

  2. #2
    Join Date
    Nov 2000
    Location
    greenwich.ct.us
    Posts
    9,092
    That's new to me...
    Jeff Hunter

  3. #3
    Join Date
    Feb 2000
    Location
    Singapore
    Posts
    1,758
    SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data.
    SQL Injection and Oracle
    Sanjay G.
    Oracle Certified Professional 8i, 9i.

    "The degree of normality in a database is inversely proportional to that of its DBA"

  4. #4
    Join Date
    Dec 2002
    Location
    Bangalore ( India )
    Posts
    2,434
    Sql Injection ( in brief ), is the cause via Internet by Miscreants...

    The user whom u allow to connect to DB and act on data should have limited privilages. I think take care of every thing.

    For Eg:

    SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code. For example, in a search page, the developer may use the following code to execute a query (VBScript/ASP sample shown):

    Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

    Then, when the query string is assembled and sent to SQL Server, the server will process the following code:

    SELECT * FROM myTable WHERE someText ='' exec master..xp_cmdshell 'net user test testpass /ADD'--'

    Here you gotta problem....If the user has Privilages to execute the Proc, then u can see the damage.
    The above eg is SQL Server based..but would well apply to Oracle As well.

    If your DB is exposed to Internet Based Application, be cautios in developing the Page, User Credentails at DB, and so.

    Abhay.
    funky...

    "I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."

    "Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"

  5. #5
    Join Date
    Aug 2002
    Location
    Colorado Springs
    Posts
    5,253
    Another excellent reason for the frontend to access the database using packaged procedures, instead of through direct SQL access.

    Using packaged procedures that accept values to be bound to ref cursors gives you automatic protection against SQL injection.
    David Aldridge,
    "The Oracle Sponge"

    Senior Manager, Business Intelligence Development
    XM Satellite Radio
    Washington, DC

    Oracle ACE

  6. #6
    Join Date
    Nov 2000
    Location
    Baltimore, MD USA
    Posts
    1,339
    Originally posted by slimdave
    Another excellent reason for the frontend to access the database using packaged procedures, instead of through direct SQL access.

    Using packaged procedures that accept values to be bound to ref cursors gives you automatic protection against SQL injection.
    Absolutely!

    There are just sooooo many reasons to create a database abstraction layer out of procs/packages that I'm continually amazed at how few people actually do it.

    - Chris
    Christopher R. Long
    ChrisRLong@HotMail.Com
    But that's just my opinion. I could be wrong

  7. #7
    Join Date
    Jun 2003
    Posts
    5

    Hey

    Thanks for the comments...

    I know you can use parameterized sql in sql server 2000 to avoid sql injection...

    but does oracle has parameterized sql?

    the package procedure == stored procedures in sql server 2000?

    Hmm... any more comments...

    How about other security threats in oracle.. as sql server 2000 has sql slammer... etc!

    Regards,
    Chua Wen Ching

  8. #8
    Join Date
    Feb 2000
    Location
    Singapore
    Posts
    1,758

    Re: Hey

    Originally posted by chuawenching
    but does oracle has parameterized sql?
    What do you mean ?? Passing parameterss to SQL, PL/SQL Procedures?
    Why not?
    How about other security threats in oracle.. as sql server 2000 has sql slammer... etc!
    It seems you are much concerned about security before learning anything about Oracle. See the link in this thread for all you security concerns.
    http://www.dbasupport.com/forums/sho...threadid=36781
    Sanjay G.
    Oracle Certified Professional 8i, 9i.

    "The degree of normality in a database is inversely proportional to that of its DBA"

  9. #9
    Join Date
    Jun 2003
    Posts
    5

    Hi

    I am more interested into types of Security threats and how to fix it!

    Well... i am learning oracle too..

    but i must know and identify the threats right!

    Any threats other than sql injection, sql slammer (for sql server 2000)???

    Regards,
    Chua Wen Ching

  10. #10
    Join Date
    Dec 2002
    Location
    Bangalore ( India )
    Posts
    2,434
    funky...

    "I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."

    "Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width