You are here: TWiki >  Apex Web > SecurityCategory > SqlInjection |
r4 - 13 May 2007 - 17:00 - PeterLorenzen |
Start of topic | Skip to actions
SQL Injection
For an introduction to SQL Injection check Avoiding SQL Injection in PL/SQL from the Oracle Database Application Developer's Guide - Fundamentals and the example in The APEX Best Practices paper. Basically you should be concerned about SQL Injection if you use dynamic SQL and an end user can manipulate the dynamic expression. In PL/SQL you can write dynamic SQL via the old DBMS_SQL or the modern Native Dynamic SQL (NDS) e.g. Execute Immediate. In APEX you should be concerned if you allow end users to input text that is used dynamic in DML, for example a Select in a Report. If you do this then make sure you validate the input. Check for length, parentheses, comments (--, /* */) etc. or do a sanity check by validating the input against a table. If the user inputs a department name check that the department name exists. Additional information:- SQL Injection and Oracle, Part One by Pete Finnigan
- SQL Injection and Oracle, Part Two by Pete Finnigan
- SQL Detecting SQL Injection in Oracle by Pete Finnigan
Author: PeterLorenzen - 27 Apr 2007
Comments
Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r4 < r3 < r2 < r1 | More topic actions
Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback
Log In
Apex Web
Index
Search
Changes
Notifications
Statistics
Preferences
Create New Topic
Apex