SQL Injection technique:
An SQL Injection attack is a form of attack where the attacker inputs extra SQL in an application. Here is a simple but illustrative example. If you have an APEX Report based on a SQL Query, like this Select:
SELECT CUSTOMER_NAME, BALANCE FROM CUSTOMER_INFO WHERE CUSTOMER_ID=’&P1_CUSTOMER_ID’
P1_CUSTOMER_ID is a text item that the user can input. If the user inputs a valid id one row is displayed, but if the user instead input this:
10 or 1=1
All rows will be displayed, which might not be the intention. You can change the Select to use bind variables like this:
RETURN 'SELECT CUSTOMER_NAME, BALANCE FROM CUSTOMER_INFO WHERE CUSTOMER_ID=:P1_CUSTOMER_ID';
An SQL Injection attack is a form of attack where the attacker inputs extra SQL in an application. Here is a simple but illustrative example. If you have an APEX Report based on a SQL Query, like this Select:
SELECT CUSTOMER_NAME, BALANCE FROM CUSTOMER_INFO WHERE CUSTOMER_ID=’&P1_CUSTOMER_ID’
P1_CUSTOMER_ID is a text item that the user can input. If the user inputs a valid id one row is displayed, but if the user instead input this:
10 or 1=1
All rows will be displayed, which might not be the intention. You can change the Select to use bind variables like this:
RETURN 'SELECT CUSTOMER_NAME, BALANCE FROM CUSTOMER_INFO WHERE CUSTOMER_ID=:P1_CUSTOMER_ID';
No comments:
Post a Comment