Difference between revisions of "Oracle Security: SQL Injection"

From Robs_Wiki
Jump to: navigation, search
(How does SQL Injection take place?)
(How does SQL Injection take place?)
Line 4: Line 4:
 
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br />
 
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br />
 
== How does SQL Injection take place? ==
 
== How does SQL Injection take place? ==
Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passage below is an example of code that is vulnarable for SQL Injection:
+
Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passages below are examples of code that is vulnarable for SQL Injection:
 
<pre>
 
<pre>
 
Stmt CONSTANT VARCHAR2(4000) :=
 
Stmt CONSTANT VARCHAR2(4000) :=
Line 10: Line 10:
 
where email = '''|| p_email|| '''  
 
where email = '''|| p_email|| '''  
 
and last_name = ''' ||p_last_name || '''';
 
and last_name = ''' ||p_last_name || '''';
 +
</pre>
 +
<pre>
 +
Stmt2 CONSTANT VARCHAR2(4000) := 'select '||p_colname||' from '||p_tablename;
 
</pre>
 
</pre>

Revision as of 09:00, 28 January 2020

What is SQL Injection ?

SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.

How does SQL Injection take place?

Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passages below are examples of code that is vulnarable for SQL Injection:

Stmt CONSTANT VARCHAR2(4000) :=
'select email from employees 
where email = '''|| p_email|| ''' 
and last_name = ''' ||p_last_name || '''';
Stmt2 CONSTANT VARCHAR2(4000) := 'select '||p_colname||' from '||p_tablename;