| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL Injection in HTML DB prevention
Well, it's not giving me any trouble. If I supply :
'or "2=2" etc.;
To the :P400_NAME field, the single/double quotes and the semi-colon are
stripped out.
&F121_DEPOSIT_WHERE_CLAUSE starts off with it's default value of '1=1', so if the user never specifies anything, my 'built' where clause doesn't die.
Everything is working fine, but I just want to ensure that I'm covering my bases (besides other things), to prevent somebody from supplying data that would enable SQL Injection into my query string. (Just got an email over the weekend to ensure that all systems are designed to prohibit this, from headquarters).
I just started reading about it this morning, and my brain isn't functioning to well today. I understand the basic principles (I think), which is why I'm stripping out the punctuation which could cause an error. I'm not sure if I'm missing anything else that I should strip out (if present) as well. I started out using the :punct: regular expression class, but that removed the wildcard as well, which I want to keep.
Thanks.
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
On Behalf Of davewendelken_at_earthlink.net
Sent: Monday, April 18, 2005 11:39 AM
To: oracle-l_at_freelists.org
Subject: Re: SQL Injection in HTML DB prevention
Why don't you show us the value of &F121_DEPOSIT_WHERE_CLAUSE that's giving you trouble, and what text you started from?
And I guess it's not really clear to me what the problem is you are asking about!
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Mon Apr 18 2005 - 14:03:33 CDT
 |
 |