SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data.
Sql Injection ( in brief ), is the cause via Internet by Miscreants...
The user whom u allow to connect to DB and act on data should have limited privilages. I think take care of every thing.
SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code. For example, in a search page, the developer may use the following code to execute a query (VBScript/ASP sample shown):
Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")
Then, when the query string is assembled and sent to SQL Server, the server will process the following code:
SELECT * FROM myTable WHERE someText ='' exec master..xp_cmdshell 'net user test testpass /ADD'--'
Here you gotta problem....If the user has Privilages to execute the Proc, then u can see the damage.
The above eg is SQL Server based..but would well apply to Oracle As well.
If your DB is exposed to Internet Based Application, be cautios in developing the Page, User Credentails at DB, and so.
"I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."
"Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"