Oracle Security: SQL Injection

From Robs_Wiki
Revision as of 09:01, 28 January 2020 by Qadmin wiki (talk | contribs) (How does SQL Injection take place?)
Jump to: navigation, search

What is SQL Injection ?

SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.

How does SQL Injection take place?

Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passages below are examples of code that is vulnarable for SQL Injection: 

Stmt1 CONSTANT VARCHAR2(4000) :=
'select email from employees  where email = '''|| p_email|| '''  and last_name = ''' ||p_last_name || '''';

Stmt2 CONSTANT VARCHAR2(4000) := 'select '||p_colname||' from '||p_tablename;
Retrieved from "http://rob.lasonder.org/index.php?title=Oracle_Security:_SQL_Injection&oldid=2941"