Re: Auditing an app's SQL - How?

>
>*Since somebody's probably going to ask, the specific error is:
>'80040e3d' A specified type was invalid
>If I can view the SQL I can probably figure out what's wrong.
>

Hi Walt,

Howard has given some good advice but let me give some other tips. The first thing is that the error number you list looks like a Windows error, at least that is the sort of number I see when Windows programs crash. It could be that the application tool parses the SQL first and the error is detected before sending the SQL to the server so you may not find it in the database or on the way to the database.

If you can repeat the problem - I think from inference you can then set SQL*Net trace on the client that is running the application. An example of how to do this is in my paper "Detecting SQL Injection in Oracle" which you can find at http://www.petefinnigan.com/orasec.htm - This trace will then contain the SQL statement sent to the server from the application. You can also use SQL trace (depending on how far the SQL got into the server) - a paper on many ways to set trace is at http://www.petefinnigan.com/ramblings/how_to_set_trace.htm

Finally if you are a bit more adventurous and you application uses OCI as its lowest layer then there is a free tool that grabs SQL from the OCI layer called OCISPY, you can find a link on my tools page at http://www.petefinnigan.com/tools.htm - There is a Java tool that does the same for JDBC listed there as well, sorry cannot recall the exact name at the moment.

hth

kind regards

Pete

-- 
Pete Finnigan (email:pete_at_petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.