When the PL/SQL Code is detected with SQL Injection Error, How to Resolve?
SQL Injection is simple type of attack and can be avoided with basic coding practices.
Below are some of the ways of best coding practices.
Avoid Dynamic SQL's rewrite them into static SQL.
If you must use dynamic SQL, try not to construct it through concatenation of input values. Instead, use bind arguments.
If you cannot avoid input concatenation, you must validate input values
1. Execute Immediate: This should not be used as it is vulnerable for hacker and hence should be replaced with DBMS_SQL for dynamic execution of the sql queries.
2. Parameters: If the concurrent program is using a procedure which has a parameter that can be hacked by the user, then you need to sanitize the parameter using .
You can filter the input values using DBMS_ASSERT Functions.
DBMS_ASSERT .QUALIFIED_SQL_NAME is used to verify that the string is a simple SQL name.
DBMS_ASSERT .ENQUOTE_LITERAL should be used if you want to pass the character variable values in quotes. This is used to enclose the string literal within single quotation marks
No comments:
Post a Comment