SQL Injection and Oracle, Part Two

Wednesday Dec 4th 2002 by DatabaseJournal.com Staff

This is the second article in a two-part series from SecurityFocus that examines SQL injection attacks against Oracle databases. The objective of the series is to introduce Oracle users to some of the dangers of SQL injection and to suggest some simple ways of protecting against these types of attack.

[From SecurityFocus]

SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (') to the parameters, it is possible to cause a second query to be executed with the first.

SQL injection techniques are an increasingly dangerous threat to the security of information stored upon Oracle Databases. These techniques are being discussed with greater regularity on security mailing lists, forums, and at conferences. There have been many good papers written about SQL Injection and a few about the security of Oracle databases and software but not many that focus on SQL injection and Oracle software.

This is the second part of a two-part article that will examine SQL injection attacks against Oracle databases. The first installment offered an overview of SQL injection and looked at how Oracle database applications are vulnerable to this attack, and looked at some examples. This segment will look at enumerating the privileges, detecting SQL injection attacks, and protecting against SQL injection.

The complete article is available at http://online.securityfocus.com/infocus/1646.

Back to Database Journal Home

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved