[Previous entry: "October Critical Patch Update 2008 is out"] [Next entry: "Exploiting CREATE ANY DIRECTORY to become a SYSDBA"]
How to write injection proof PL/SQL
October 17th, 2008 by Pete
Post to del.icio.us
Post to Furl
Duncan emailed me today to let me know of a new paper written by Oracle called "How to write injection proof PL/SQL" that was released in the wake of Oracle Open World. The paper is excellent and 76 pages long. Here is the abstract from the head of the paper:
Googling for "SQL injection" gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection.
Only when a PL/SQL subprogram executes SQL that it creates at run time is there a risk of SQL injection; and you'll see that it's easier than you might think to freeze the SQL at PL/SQL compile time. Then you'll understand that you need the rules which prevent the risk only for the rare scenarios that do require run-time-created SQL. It turns out that these rules are simple to state and easy to follow.
Bruce Schneier also has a post titled "How to Write Injection-Proof SQL" that has an interesting comment stream attached to it.
October 17th, 2008 at 06:38 pm
Paul M. Wright says:
This is an interesting paper.