How to prevent a SQL injection attack in Oracle

Oracle security expert Brian Fedorko explains how to prevent a SQL injection attack in Oracle.

How can we prevent a SQL injection attack on our Oracle databases?
The answer is straightforward, but the implementation will take a great deal of teamwork between your application designers and your DBAs.

Your front-end application must be ruthless in filtering input. Special characters should be rejected unless there this is some specific reason they are necessary. Characters such as the dash, solidus and semicolon are commonly used to modify the SQL statements your application may be building. Numbers should be filtered out of text input to avoid the passing of hexadecimal values and MD5 hashes. Lastly, text input should be filtered for SQL set operators such as UNION or INTERSECT.

On the database side, you can reduce your exposure to a SQL injection attack through the use of bind variables. If we pass values into a bind variable, rather than concatenate the user input to other strings, malicious SQL will not be executed. In addition to being resistant to SQL injection, bind variables are key to performance and scalability in most situations -- a double bonus!

Finally, restrict the functions, procedures and packages your application user has permission and privileges to execute. The principle of least privilege is the key concept to implement. Restricting access to packages unnecessary to your application user's processing (UTL_FILE, UTL_SMPT, UTL_TCP, etc.) can further reduce the likelihood and/or severity of an attack.

Dig Deeper on Oracle database security