Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Please dont SQL Inject a bank"] [Next entry: "database security bloopers"]

More SQL Injection

Alex has posted an entry in his blog yesterday titled "he that is without sin among you, let him cast a stone at her" on the same subject that Tom and then I spoke about, the error message from a bank around SQL Injection. Alex makes some points about where the developers of these types of applications learn to code applications vulnerable to SQL Injection. He points at Tom's book, David Knox, Kevin Loney and others. I think he makes a good point as where do developers learn to code against Oracle? - training, Oracle documentation, Oracle sample programs and of course popular books.

Alex then commented on - (broken link) Toms blog and an interesting conversation started. Tom does know what SQL Injection is, he has made a recent acreer talking about bind variables and SQL Injection and I am hoping he will cover security and of course SQL Injection and more with gusto when we get to see the second volume of his book. I remember he even canvassed for subjects and security was in there amongst them. Alex has amde a very good point, that people do learn from peers, mentors, BOOKS and training; I think the unfortunate apsect of all of this is that writers of these media have not taken security into account until very recently even though issues like SQL Injection have been known for many years now. Lets hope that everyone writes with security in mind and that old and new generations of coders understand the risks and dont provide these loopholes.