Q
Problem solve Get help with specific problems with your technologies, process and projects.

How to prevent a SQL injection attack in Oracle

Oracle security expert Brian Fedorko explains how to prevent a SQL injection attack in Oracle.

How can we prevent a SQL injection attack on our Oracle databases?
The answer is straightforward, but the implementation will take a great deal of teamwork between your application designers and your DBAs.

Your front-end application must be ruthless in filtering input. Special characters should be rejected unless there this is some specific reason they are necessary. Characters such as the dash, solidus and semicolon are commonly used to modify the SQL statements your application may be building. Numbers should be filtered out of text input to avoid the passing of hexadecimal values and MD5 hashes. Lastly, text input should be filtered for SQL set operators such as UNION or INTERSECT.

On the database side, you can reduce your exposure to a SQL injection attack through the use of bind variables. If we pass values into a bind variable, rather than concatenate the user input to other strings, malicious SQL will not be executed. In addition to being resistant to SQL injection, bind variables are key to performance and scalability in most situations -- a double bonus!

Finally, restrict the functions, procedures and packages your application user has permission and privileges to execute. The principle of least privilege is the key concept to implement. Restricting access to packages unnecessary to your application user's processing (UTL_FILE, UTL_SMPT, UTL_TCP, etc.) can further reduce the likelihood and/or severity of an attack.

This was last published in March 2009

Dig Deeper on Oracle database security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide.com

SearchDataCenter

SearchContentManagement

SearchHRSoftware

Close