| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection Concern
Jon,
Would this table be a good candidate for auditing of inserts, updates and deletes? That would tell you when you have a problem, but would miss the first occurrence of the problem.
Sarah Satterthwaite
DBA
Fiserv CSW
-----Original Message-----
From: Goulet, Dick [mailto:DGoulet_at_vicr.com]
Sent: Monday, January 10, 2005 11:42 AM
To: jknight_at_concordefs.com; oracle-l_at_freelists.org
Subject: RE: SQL Injection Concern
Jon,
Yes that is a concern. In our case data that goes into a table is only data to be passed to the procedure, not part of an execute immediate.=20
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: Knight, Jon [mailto:jknight_at_concordefs.com]=20
Sent: Monday, January 10, 2005 11:33 AM
To: oracle-l_at_freelists.org
Subject: SQL Injection Concern
We've got a table listing stored programs that need to execute after
various application activity. My first thought is to just use "execute
immediate" on the stored program. But this will allow anyone to insert
a
row into our table and execute arbitrary code. I'm interested in any
suggestions or solutions you've implemented to tighten up security in
such a
situation.
Thanks,
Jon Knight
Senior Database Analyst
2525 Horizon Lake Drive, Suite 120
Memphis, TN 38133
JKnight_at_concordefs.com
901.371.8000 - Phone 800.238.7675 - Phone 901.380.8336 - Fax www.FirstData.com
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Mon Jan 10 2005 - 10:56:39 CST
 |
 |