Watch for SQL Injection in Oracle

In my everyday life, I work with both SQL Server and Oracle databases to develop databases, schemas, stored procedures, and functions as well as the middle-tier applications that wrap the database functionality.  Along with that work, I also spend a lot of time validating input data, and dealing with other issues of secure coding.

In my upcoming security talk, I will spend some time outlining the dangers of SQL Injection, as I have mentioned before.  I have mentioned, and mostly seen, the problems that you can have with SQL Server regarding SQL Injection, but similar attacks can be done with Oracle, and many other database vendors.  I found a great article today that was mentioned on one of my security mailing lists (sign up for the SC-L mailing list at securecoding.org).  The article is An Introduction to SQL Injection Attacks for Oracle Developers.  There are some really good tips and advice in the article on countering SQL Injection in regards to Oracle databases.  This is also a great read for a general introduction to understanding this important security topic.  Get it today, and be informed.

Published Saturday, January 24, 2004 2:09 PM by RHurlbut
Filed under: , , ,

Comments

Sunday, January 25, 2004 4:56 PM by stefan demetz

# re: Watch for SQL Injection in Oracle

there are not enough forced practices for input validation/sanitatizing in ASP.NET
Monday, January 26, 2004 7:38 AM by Robert Hurlbut

# re: Watch for SQL Injection in Oracle

True. You still have to do this yourself. There is where developer (and architect, manager, etc.) education comes in, as the current thread on the SC-L list points out.
Tuesday, January 27, 2004 7:24 PM by TrackBack

# SQLTeam.com

SQLTeam.com
Sunday, February 01, 2004 6:37 PM by stefan demetz

# re: Watch for SQL Injection in Oracle

education is good, but it ought to be built into the component itself, just like the Cross SS of textboxes in v1.1

Sunday, February 01, 2004 11:12 PM by Robert Hurlbut

# re: Watch for SQL Injection in Oracle

Stefan -- Actually, if you rely on the built in functionality of protection against CSS in .Net 1.1, it can be compromised, as I will show on Tuesday night. Education pays in this case as you can know how to go the "extra mile" to deal with the additional holes in .Net 1.1 regarding CSS.
Wednesday, February 04, 2004 6:43 PM by stefan demetz

# re: Watch for SQL Injection in Oracle

my way of doing this
- ovveridden webcontrols
- server side regex allowing only defined options:
numeric or letters or alphanumeric or predefined custom regex
all the rest is filtered out


Wednesday, February 04, 2004 6:47 PM by TrackBack

# Hardening ASP.NET - avoid SQL injection (ouch !!) - Part 2

Wednesday, February 04, 2004 8:59 PM by Robert Hurlbut

# re: Watch for SQL Injection in Oracle

Stefan, that is definitely a good approach.

I think of it similar to how you train bank tellers to know when they are dealing with counterfeit money. You don't show them all the possible combinations of counterfeit money, but instead show them what's real, and teach them them to reject the bad. With data input, you define what's allowed, test for it, and reject the rest.

Earlier, in another comment, I mentioned the Cross-Site Scripting bug in ASP.NET 1.1. I have also now mentioned it another post. The solution, regardless if there is a fix or not, is you must HtmlEncode your input that comes in from the web form, check for what's valid, and then reject the bad.
Thursday, February 05, 2004 7:37 PM by stefan demetz

# re: Watch for SQL Injection in Oracle

I totally agree,
btw i was able to test the SQL injection on Sybase and DB2
Thursday, February 05, 2004 10:48 PM by Robert Hurlbut

# re: Watch for SQL Injection in Oracle

Stefan -- not surprising, as most SQL Injection attacks are done by simple standard SQL constructs that are valid across all database vendors (use of comments (--), etc.). Thanks for the update!
Friday, February 06, 2004 6:30 PM by TrackBack

# Hardening ASP.NET - avoid SQL injection (ouch !!) - Part 2 (continued)

Saturday, July 10, 2004 10:06 AM by stefan demetz

# re: Watch for SQL Injection in Oracle

Lobby MS to eliminate SQL injection
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/07/10/18763.aspx
Wednesday, August 11, 2004 8:00 AM by TrackBack

# Advanced Data Access with ADO.NET and Oracle