An Introduction To SQL Injection Attacks For Oracle Developers

Introduction

Most application developers underestimate the risk of SQL injections attacks against web
applications that use Oracle as the back-end database. Our audits of custom web applications show
many application developers do not fully understand the risk of SQL injection attacks and simple
techniques used to prevent such attacks.

This paper is intended for application developers, database administrators, and application auditors
to highlight the risk of SQL injection attacks and demonstrate why web applications may be
vulnerable. It is not intended to be a tutorial on executing SQL attacks and does not provide
instructions on executing these attacks.

Table of Contents

  1. Introduction…4
    Summary …4
    SQL Injection Overview …4
    SQL Injection: Oracle versus Other Databases…4
    Application Development …5
  2. SQL Injection…6
    Introduction …6
    Categories of SQL Injection Attacks …6
    What’s Vulnerable …7
    What’s Not Vulnerable…7
  3. SQL Injection Methods…8
    SQL Manipulation…8
    Code Injection…9
    Function Call Injection…10
    Buffer Overflows…11
  4. PL/SQL…12
    Overview…12
    Execute Immediate Statement…12
    DBMS_SQL Package …14
    Dynamic Cursors…15
  5. JDBC …16
    Overview…16
    PreparedStatement…16
    CallableStatement…17
  6. Protecting against SQL Injection …18
    Bind Variables…18
    Input Validation …18
    Function Security…19
    Error Messages…19
  7. Common Exceptions…20
    Dynamic Table Names and Where Clauses…20
    Like Clauses…20
    Dynamic Procedure and Function Calls…21
  8. Oracle Functions…22
    Determine Function Privileges…22
    Restricting Access to Functions…22
    Standard Functions…22
    Oracle Supplied Functions…23
    Custom Application Functions …23
  9. References …24

Download: An Introduction to SQL Injection - Attacks for Oracle Developers.pdf (344.0 KB)

Happy learning!

3 Likes