Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Checkpwd updated and also released for Mac"] [Next entry: "More SQL Injection"]

Please dont SQL Inject a bank

I saw a post on my Oracle security forum titled "Please don't do SQL injection" that refers to a blog on Tom's site the refering to an entry on the - (broken link) Worsethanfailure site about a bank that has an error screen that is presented under circumstances when you try and add a security phrase. This is great, but sad. How does code like this for a bank get into production? - don't they do code reviews? - don't they have secure coding training, don't they know not to send meaningfull errors back to the client. worse they advertise that its possible to SQL Inject??? this is crazy, if they add an error telling people to not send in parts of the SQL language as a security phrase does that mean that if you do it will detect only those keywords? what about others, what about the fact that they have told the user that the security phrase is written to a database table? and it is added into a concatenated string - OK, I am being sarcastic, I realise the issues here! - how does code like this get into the mainstream, is it real or a dummy? - real i guess.

There has been 2 Comments posted on this article

July 9th, 2007 at 10:16 am

Pete Finnigan says:

Banks are pretty lame. I reported a phishing issue to a major UK bank and it took over a year to fix it.

The flaw wasn't a showstopper (they used a redirector script, so you could make URLs that started "" point to arbitrary sites) but it wouldn't have got past a rudimentary security code review or penetration test.

July 9th, 2007 at 12:37 pm

Pete Finnigan says:

Banks a lot of the time are more focused on customer satisfaction and making money than really making their products safe and sound for their customers.

This is true for any business. It usually takes a good bite for a company to get serious about their security practices.