Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "October Critical Patch Update 2008 is out"] [Next entry: "Exploiting CREATE ANY DIRECTORY to become a SYSDBA"]

How to write injection proof PL/SQL

Duncan emailed me today to let me know of a new paper written by Oracle called "How to write injection proof PL/SQL" that was released in the wake of Oracle Open World. The paper is excellent and 76 pages long. Here is the abstract from the head of the paper:

Googling for "SQL injection" gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection.

Only when a PL/SQL subprogram executes SQL that it creates at run time is there a risk of SQL injection; and you'll see that it's easier than you might think to freeze the SQL at PL/SQL compile time. Then you'll understand that you need the rules which prevent the risk only for the rare scenarios that do require run-time-created SQL. It turns out that these rules are simple to state and easy to follow.

Bruce Schneier also has a post titled "How to Write Injection-Proof SQL" that has an interesting comment stream attached to it.

There has been 1 Comment posted on this article

October 17th, 2008 at 06:38 pm

Pete Finnigan says:

This is an interesting paper.