| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re[2]: SQL Injection and Oracle?
d> Nope, you could do it with any sql based database unless your forms have d> protection built in. Thankfully our WEB guys did that by accident. Namely when d> they accept a data value they have certain rules that they apply to all fields, d> like max length, no unlimited length fields, comment data manipulated via d> procedures. It's rather easy, but you have to design it that way.
That's what I suspected. I probed the few trival forms that I'd done with CGI/Oracle and found that mine were accidentally safe -- I figure pretty much like a pocket protector keeps you from getting STD's. Limited fields and some javascript pre-processing.
But now I've got some concerns about what our developers have done in our big app.....
-rje
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Robert Eskridge
INET: bryny_at_dfweahs.net
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Liststo: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Fri Feb 01 2002 - 11:14:25 CST
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
 |
 |