This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

PL/SQL:SQL Injection

Revision as of 10:02, 13 November 2008 by Mjk303 (talk | contribs)

Jump to: navigation, search


WIP 13/11/2008


As the name implies, SQL injection vulnerabilities allow an attacker to inject (or execute) SQL commands within an application. It is one of the most wide spread and dangerous application vulnerability. The CLASP project provides a good overview of SQL injection.

Lateral SQL injection

As with all languages and databases, the seperation of the SQL logic and the SQL data is the only way to prevent SQL injection.

Stored Procedures


The reason that SQL injection is possible, is that the SQL statement is being generated from a language or enviroment that isn't working with SQL natively. So it does not know the consequences. The same goes for the database itself. As long as the SQL statement is syntactally correct and user that performs it has the rights, the database will execute it. There is no way for both side to determine what the impact would be. When trying to figure that out your essentially blacklisting and any new variant will be bypass your predetermined.

Another solution often found is to obfuscate the table and columns. Now this is not going to work as one of the rules described by CoddSo we need to make the understand eachother better. We can do this by seperating the data from the logic.

Bind variables

These are placeholders we can use to tell the database these parts of the query are dynamic and the rest is hardcoded. The communication is split up into multiple packages

But this is how a database wants you to communicate with it. Whenever a query passed to an Oracle database for execution, the first thing the RDMS will do is make a hashvalue of the query. Next it will to find the best way to collect the data that is needed and stores that in it's memory. After he is done with that it will selects the data and pass it on to the requester.

This is probably the only attackvector that when it is correctly fixed, it will also give you an performance improvement :)