SQL injection techniques are an increasingly becoming a dangerous threat to the security of information stored upon any Oracle database. Oracle is a huge product and SQL injection can be applied to many of its modules, languages and APIs making oracle database likely to be susceptible to SQL injection attacks.
SQL injection attacks can be easily defeated with simple programming changes, however, developers must always ensure to be discipline enough to apply some important methods to every web accessible procedure and function.
Every dynamic SQL statement must be protected because a single unprotected SQL statement can result in compromising of the application, data or database server. Some of this important methods are:
The most powerful and advisable protection against SQL injection is the use of bind variables. The use of bind variables not only protects against SQL injection attacks but it is also helps to improve an application performance.
The application coding standards always require that a bind variable should always be used in all SQL statements. No and never should an SQL statement be created by concentrating together strings and passed parameters.
Bind variables should be used for every SQL statement regardless of when or where the SQL statement is being executed. This is one of the oracles internal coding standard and should always be your organization’s standard too.
Every passed string of parameter must be validated. Most web application use hidden fields and other techniques which also must be validated. If a bind variable is not being used, special database characters must be removed or escaped.
Mostly for oracle databases, the only character at issue is a single quote. The simplest method is to escape all single quotes as oracle interprets consecutive single quotes as a literal single quote.
Standard and custom database functions can always be exploited in SQL injection attacks. Many of these functions can be used effectively in an attack. Oracle is always delivered with hundreds of standard functions and by default all have grants to the public.
The application may have additional functions which perform operations like changing passwords or the creating of users that could be exploited. All the functions that are not absolutely necessary to the application should be restricted.
If an attacker cannot obtain the source code for an application, error messages become critically important for a successful attack. Most of the java applications do not return detailed error messages. Testing and analysis should be performed to determine if the application returns detailed error messages.
The more information returned in an error message, the more useful the message is to an attacker. All the PL/SQL gateway applications should be designated to return an application generated error page when an Oracle error is encountered rather than allowing the gateway to return an error message.
However some errors like procedure not found must be returned by the gateway. Since these type of errors are most likely caused by an attacker rather than errors in normal application processing, only minimal or no information should be returned.
- What to Do to Protect Your Data from SQL Injection Attacks
- Causes Of SQL Injection Attacks
- Oracle Database Firewall