Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Data breaches near 94 million"] [Next entry: "Applying CPU's"]

Tom has discovered a PL/SQL oddity



I saw Tom's post http://tkyte.blogspot.com/2006/10/something-new-i-learned-this-week.html - (broken link) Something new I learned this week... and read with interest. I was aware of this issue quite a long time ago when i programmed more regularly with PL/SQL. I have to admit I wasn't thinking about it. I seem to remember that i first read about this when I first learned PL/SQL years ago because I came from a C programming background, pointers and pass by value come more naturally. This is an interesting issue for me for a number of reasons. First cos its PL/SQL and I like PL/SQL and like to play and investigate the language and internals and second because oddities and internals always open security doors. I dont see an obvious hack but I can see how it would be possible to abuse a system that makes use of procedures or functions that update globals or pass globals into functions. As Tom said avoid globals.