|
||
|
Title: DBMS_ASSERT Post by Pete Finnigan on Nov 13th, 2005, 6:52am Hi, Just read the post about DBMS_ASSERT, great package. but much better approche for that will be if oracle will create new datatypes like a varchar that only allow A-Z,a-z,0-9 or a datatype that replace each ' with '' etc... That will be just the best solution. Oded. |
||
|
Title: Re: DBMS_ASSERT Post by Pete Finnigan on Nov 13th, 2005, 8:50pm Hi Oded, Thanks for your post. Actually that is quite a good idea to help prevent SQL Injection. It is worth exploring anyway to see if there is merit in it, i.e. would it work and actually help SQL Injection prevention. I think also to remember is the fact that a better way to prevent SQL injection is to not use concatenation in the first place and to use binds. nice idea though, cheers Pete |
||
|
Title: Re: DBMS_ASSERT Post by Pete Finnigan on Nov 17th, 2005, 12:07am >I think also to remember is the fact that a >better way to prevent SQL injection is to >not use concatenation in the first place >and to use binds. The problem is you can't use binds for table names. If you look at the PL/SQL Injection issues that Oracle's falling to you'll find a large number of the injection points are table names. As such there'll always be concatenation... Cheers, David Litchfield |
||
|
Title: Re: DBMS_ASSERT Post by Pete Finnigan on Nov 17th, 2005, 10:34am Hi David, Thanks for your post. I think we are talking at cross purposes. I was talking general protection against SQL Injection in user written code rather than how Oracle might fix their own bugs. I think that the OP was talking about how to protect against SQL Injection in his own code? - DBMS_ASSERT is a good start for developers - i referenced your excellent paper in my blog the other day. Also the OP's idea about having bounded data types is worth exploring. On your point yes, I agree that it is not possible to use schema elements as binds in NDS or DBMS_SQL. Oracle will need to ensure that the input to the concat cannot be fed in from outside the function/procedure and also use DBMS_ASSERT to validate the schema object name/owner - I guessed that this was the purpose for the relevant functions in DBMS_ASSERT. cheers Pete |
||
|
Title: Re: DBMS_ASSERT Post by Pete Finnigan on Nov 18th, 2005, 12:48pm Hi, Yes, i was talking about a way to protect against SQL Injection in developers code and not oracle's I was thinking about creating those data types by using oracle objects capabilities with a constructor function. and publish it in my blog. Oded Maimon. go-oracle.blogspot.com - (broken link) |
||
|
Title: Re: DBMS_ASSERT Post by Pete Finnigan on Nov 18th, 2005, 1:51pm Hi, That sounds like a plan, let us know when you have tried it. I for one would like to see how you get on. cheers Pete |
||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |