Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "The fastest Oracle password cracker in the world is released!!!"] [Next entry: "Oracle October CPU pre-release analysis"]

Extreme SQL Injection

I saw today a link on Tom's blog to a cartoon that shows how SQL injection could transfer to the real world. The cartoon was pointed out to me before that by patrick. The cartoon shows how you could name your children with such a name like "Robert') drop table students--" so that when they were entered into the school computer an attack could occur. Its a joke but a serious message is included, any data that can end up being used in a SQL statement is a potential attack vector for SQL Injection. Patrick also told me that his colleague beat this cartoon by two years with a similar attack talked about in his post "How to break the National Identity Register". Obviously using names in the sense of naming your child like this is carzy to effect a SQL injection attack but the idea is not crazy, what would happen if you filled in a form with a pen that is then later read by some sort of reader into a computer - if you added an injectable payload then it could work.