SQL Injection?

[chuawenching]

Hello everyone,

I believe everyone of you know what is SQL Injection.

But i only know that SQL Injection affects databases like SQL Server 2000. But I think it affects all type of databases right!

Can you share your experience on how SQL Injection affects your real time applications and how you would solve the problem?

Other than SQL Injection, what other ways can people hack a database? Well, i know SQL Slammer affects SQL Server 2000, but
does oracle had this problem?

Any comments, please?

Thank you.

Regards,
Chua Wen Ching

[marist89]

That's new to me...

[SANJAY_G]

SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data.

SQL Injection and Oracle

[abhaysk]

Sql Injection ( in brief ), is the cause via Internet by Miscreants...

The user whom u allow to connect to DB and act on data should have limited privilages. I think take care of every thing.

For Eg:

SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code. For example, in a search page, the developer may use the following code to execute a query (VBScript/ASP sample shown):

Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

Then, when the query string is assembled and sent to SQL Server, the server will process the following code:

SELECT * FROM myTable WHERE someText ='' exec master..xp_cmdshell 'net user test testpass /ADD'--'

Here you gotta problem....If the user has Privilages to execute the Proc, then u can see the damage.

The above eg is SQL Server based..but would well apply to Oracle As well.

If your DB is exposed to Internet Based Application, be cautios in developing the Page, User Credentails at DB, and so.

Abhay.

[slimdave]

Another excellent reason for the frontend to access the database using packaged procedures, instead of through direct SQL access.

Using packaged procedures that accept values to be bound to ref cursors gives you automatic protection against SQL injection.

[chrisrlong]

Originally posted by slimdave
Another excellent reason for the frontend to access the database using packaged procedures, instead of through direct SQL access.

Using packaged procedures that accept values to be bound to ref cursors gives you automatic protection against SQL injection.

Absolutely!

There are just sooooo many reasons to create a database abstraction layer out of procs/packages that I'm continually amazed at how few people actually do it.

- Chris

[chuawenching]

Thanks for the comments...

I know you can use parameterized sql in sql server 2000 to avoid sql injection...

but does oracle has parameterized sql?

the package procedure == stored procedures in sql server 2000?

Hmm... any more comments...

How about other security threats in oracle.. as sql server 2000 has sql slammer... etc!

Regards,
Chua Wen Ching

[SANJAY_G]

Originally posted by chuawenching
but does oracle has parameterized sql?

What do you mean ?? Passing parameterss to SQL, PL/SQL Procedures?
Why not?

How about other security threats in oracle.. as sql server 2000 has sql slammer... etc!

It seems you are much concerned about security before learning anything about Oracle. See the link in this thread for all you security concerns.
http://www.dbasupport.com/forums/sho...threadid=36781

[chuawenching]

I am more interested into types of Security threats and how to fix it!

Well... i am learning oracle too..

but i must know and identify the threats right!

Any threats other than sql injection, sql slammer (for sql server 2000)???

Regards,
Chua Wen Ching

[abhaysk]

http://www.pentest-limited.com/oracle-security.htm