Your front-end application must be ruthless in filtering input. Special characters should be rejected unless there this is some specific reason they are necessary. Characters such as the dash, solidus and semicolon are commonly used to modify the SQL statements your application may be building. Numbers should be filtered out of text input to avoid the passing of hexadecimal values and MD5 hashes. Lastly, text input should be filtered for SQL set operators such as UNION or INTERSECT.
On the database side, you can reduce your exposure to a SQL injection attack through the use of bind variables. If we pass values into a bind variable, rather than concatenate the user input to other strings, malicious SQL will not be executed. In addition to being resistant to SQL injection, bind variables are key to performance and scalability in most situations -- a double bonus!
Finally, restrict the functions, procedures and packages your application user has permission and privileges to execute. The principle of least privilege is the key concept to implement. Restricting access to packages unnecessary to your application user's processing (UTL_FILE, UTL_SMPT, UTL_TCP, etc.) can further reduce the likelihood and/or severity of an attack.
Dig Deeper on Oracle database security
Related Q&A from Brian Fedorko
A reader asks a question about the GRANT OPTION as it relates to object privileges in Oracle database security. Continue Reading
Interested in using fingerprint scanning in Oracle 9i? Learn about Oracle 9i security and how it works with a biometric scanner in this tip from ... Continue Reading
Oracle expert Brian Fedorko explains how to enable remote Oracle OS authentication in Windows and Linux, including why you might receive the ORA-... Continue Reading