PreparedStatement
The PreparedStatement interface is used to execute dynamic SQL statements. The standard JDBC PreparedStatement interface may be used or the OraclePreparedStatement may be used if Oracle specific data types or other Oracle extensions are required.
A PreparedStatement that is vulnerable to SQL injection may look something like this –
String name = request.getParameter("name");
PreparedStatement pstmt =
conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')");
pstmt.execute();
pstmt.close();
To prevent SQL injection, a bind variable must be used –
PreparedStatement pstmt =
conn.prepareStatement ("insert into EMP (ENAME) values (?)");
String name = request.getParameter("name");
pstmt.setString (1, name);
pstmt.execute();
pstmt.close();
Tuesday, March 25, 2008
Monday, March 24, 2008
Sql Injection in Oracle
Oracle is like any other database product and, as a result, is vulnerable to SQL injection attacks. While Oracle fairs slightly better than some of the others, the following abuses can be inflicted on an Oracle database:
- UNIONS can be added to an existing statement to execute a second statement;
- SUBSELECTS can be added to existing statements;
- Existing SQL can be short-circuited to bring back all data. This technique is often used to gain access via third party-implemented authentication schemes;
- A large selection of installed packages and procedures are available, these include packages to read and write O/S files;
- Data Definition Language (DDL) can be injected if DDL is used in a dynamic SQL string;
- INSERTS, UPDATES and DELETES can also be injected; and,
- Other databases can be injected through the first by using database links.
On the other hand, the following abuses are not possible:
- Multiple statements are not allowed; and,
- It is also not possible to SQL inject a call that uses bind variables; this is therefore a good solution to most of the SQL injection issues.
Tuesday, March 4, 2008
Subscribe to:
Posts (Atom)