Reputation: 922
Embed DML/DDL as subquery?
In an application that my team is developing, all users can define SQL-based filters, which are SQL-select-statements that return IDs.
This statement, that is entered by the user, is then embedded in an insert ... select .. statement as an subselect clause.
I do have a very bad feeling about this and I think this is a serious security issue, because users might find a way to execute dangerous abitrary SQL commands like delete from....
Restricting or removing this feature will certainly be against the customers will. Because of this, I would like to have an proof-of-concept that shows the problem.
Hence my question:
Is it possible to execute some really dangerous statements that modify data or schema modifying using a subselect clause?
Upvotes: 1
Views: 881
Answers (2)
Reputation: 3344
Is it possible to execute some really dangerous statements that modify data or schema modifying using a subselect clause?
Short answer: YES!
example: http://xkcd.com/327/
Please read these articles, and present them to your "clients". Show them that by doing this the system will be more vulnerable, and will be exploitable.
https://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:23863706595353
https://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:31670728929866
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://tkyte.blogspot.fi/2012/02/all-about-security-sql-injection.html
Upvotes: 0
Reputation: 116110
No. That's not possible. However, maybe they can enter two statements, which are executed after each other. If the first part is a harmless select, they could end it (using a semicolon), and add another, harmful statement. Whether this will work at all depends on the way that statement is executed, but make sure to test for this situation.
Better even, make a user that has no rights to perform dml statement, or even ddl statements, except inserting in that one table. Let the feature connect through that user account. That way, it's never possible that they write a statement that does harmful things, other than flooding the table.
Using the resource manager you can even make sure that this user won't cause very high load on the database.
Upvotes: 2
Related Questions
- Is it possible to do DDL statement in a dynamic pl/sql block
- SQL injection Oracle
- How to prevent SQL injection when generating DDL dynamically?
- Is this a good approach for avoiding SQL injection?
- oracle apex query sql injection
- Is this safe against SQL injection?
- SQL Security - creating a secure SQL command
- Is it possible to parameterize a query inside pl sql?
- Mixing DDL and DML statements in a single script
- SQL injection using SubQuery Select in Insert Statement