Re: SQL Injection

From: Sverre H. Huseby (shh@thathost.com)
Date: 06/12/02


Date: Wed, 12 Jun 2002 22:34:42 +0200
From: "Sverre H. Huseby" <shh@thathost.com>
To: "Breidenbach, Beth" <Beth.Breidenbach@getronics.com>


[Breidenbach, Beth]

| Oracle doesn't support sending multiple, semi-colon delimited
| statements such as you are describing. That particular hole is
| generally only seen with Postres and SQLServer (and a few MySQL
| modules).

I may misunderstand your statement, but here it goes anyway:

As a die hard fan of PostgreSQL, I must object when you call the
support for multiple statements a "hole". The hole is not in what the
RDBMS supports. It is in how the caller passes data to the RDBMS.

Even if Oracle and others does not support multiple statements in a
single request, attackers may gain access to information that is not
for their eyes using other constructs if the application programmer is
sloppy when it comes to input validation and meta character handling.
Would you call that a "hole" in Oracle? Probably not.

With support for multiple statements an attacker may more easily do
more harm, but it is still the application programmer that is to
blame, not the database.

Just my two cents, or whatever you say over there.

Sverre.

-- 
shh@thathost.com			Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/		http://nerdquiz.thathost.com/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/