Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: PL/SQL / javascript injection - checking for
Jeremy wrote:
> Hello everyone,
>
>
> We are using 9iR2 with mod_plsql.
>
> One of the security risks is javascript injection - where script is
> appended to the URL
>
> Can anyone point to any useful links where this has been discussed
> within the mod_plsql world?
>
> In essence, one needs to check (I think) every incoming parameter for
> the presence of any suspect code and, naturally, I'd like to avoid re-
> inventing the wheel if at all possible...
>
> cheers
>
>
> --
> jeremy
>
Well, if you don't use received parameters as literals in some dynamic SQL and don't output them as is without filtering, then you should be safe. If you do the latter, a simple replace of < to <, > to >, & to & and " to " should be sufficient sanitization to prevent XSS (cross-site scripting, or JavaScript injection as you called it.) In this case injected code will be output as text, not as script or HTML, the browser will not try to interpret it. If you do concatenate parameters into dynamic SQL statements as they are without any filtering, I urge you to convert them to bind variables - not only will this prevent SQL injection attacks, but your applications will scale and perform better.
Hth,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com
Received on Fri Dec 15 2006 - 06:59:37 CST