I would like to know whether anyone knows about a library or code that will accept a PL/SQL string and thow error if there is any PL/SQL injection. Most of the open source projects in the internet are created in PHP.
+2
A:
You need to use parameters, for example
UPDATE mytable SET field=:param WHERE id=:id
And then assign :param and :id to be the value that you get from the untrusted source (form value, url params, cookie, ...)
This also improves performance, and you don't need to parse anything to determine if it's injection or not. (Such approaches might have subtle bugs that you don't see, but the attaker will use. I mean you cannot verify that every possible attack, including those you haven't thought of yet, will be stopped by an injection-detection logic.)
Adrian Smith
2010-10-20 16:44:43
+1 bind variables guarantee no injection will occur. A very nice discussion about bind variables can be found at Tom Kyte's website: http://asktom.oracle.com/pls/apex/f?p=100:11:0::NO::P11_QUESTION_ID:2320123769177
andr
2010-10-20 18:42:47
I have this approach already implemented in my code i.e passing value as parameters. My only concern is at the data input level, i.e the GUI where the user enters data. I want to sanitise the data for SQL injection before it is passed to the server. This is why I am looking for a library. I am using windows form for data input.
pradeeptp
2010-10-21 13:18:39
But it doesn't matter, if you are using params then nothing bad will happen. Even if the user writes `';DROP table x` in the GUI form, then exactly those characters will get written into the field. Nothing bad will happen. (Although perhaps it doesn't make sense for those characters to be in a field, no doubt there are plenty of other character sequences which also don't make sense e.g. "fdgkdfggj").
Adrian Smith
2010-10-21 13:29:12