Reputation: 2151
Where to find PL/SQL injection checking library/code
I would like to know whether anyone knows about a library or code that will accept a PL/SQL string and thow error if there is any PL/SQL injection. Most of the open source projects in the internet are created in PHP.
Upvotes: 1
Views: 463
Answers (2)
Reputation: 7729
Assuming you have a very good reason to use both dynamic SQL and to embed strings in your statements rather than use bind variables, Oracle has a built-in library for this purpose. It's called dbms_assert.
See http://docs.oracle.com/cd/E11882_01/appdev.112/e40758/d_assert.htm for full details on this package.
Upvotes: 0
Reputation: 17553
You need to use parameters, for example
UPDATE mytable SET field=:param WHERE id=:id
And then assign :param and :id to be the value that you get from the untrusted source (form value, url params, cookie, ...)
This also improves performance, and you don't need to parse anything to determine if it's injection or not. (Such approaches might have subtle bugs that you don't see, but the attaker will use. I mean you cannot verify that every possible attack, including those you haven't thought of yet, will be stopped by an injection-detection logic.)
Upvotes: 3
Related Questions
- SQL Injection in PL/SQL - myth or fact?
- How I can verify my PL/SQL syntax
- PL/MySQL does it exist?
- Is it possible to validate sql and pl/sql syntax on compile time?
- How to prevent SQL Injection in PL/SQL
- Detect SQL injections in the source code
- PL/SQL Script verification
- Are there any SQL injection tools out there so I can test my site's vulnerabality?
- What are some common SQL injection checks I can use?
- Package for prevention of sql injection