1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

SQL injection attacks in Oracle

Discussion in 'Security, Backup and Recovery' started by lovelandj, Nov 26, 2008.

  1. lovelandj

    lovelandj Active Member

    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    80
    i have heard a lot about sql injection attacks in sql. do such a vulnerability exist in oracle database? i should not think so but maybe experts can tell me

    looking forward to everyone's replies
     
  2. Sadik

    Sadik Community Moderator Forum Guru

    Messages:
    1,906
    Likes Received:
    252
    Trophy Points:
    1,455
    you have got yourself slightly confused. SQL injection is not a database vulnerabilty, it is an application vulnerability, where the application programmer has not properly filtered for escape characters and the user-input can be passed as a SQL statement to the database.

    So there maybe a potential manipulation of the application by executing sql statements on the database by the end user of the application. So whether it's oracle or any other database hardly matters if there is a flaw in the application. However in today's applications this kind of thing is quite obsolete and i doubt if you will find many recent cases.

    You should try reading wikipedia on the subject for more info.

    cheers :D
     
  3. rajavu

    rajavu Forum Guru

    Messages:
    815
    Likes Received:
    52
    Trophy Points:
    610
    Location:
    @ Bangalore , India
    Refer this link for this and more
     
  4. tyro

    tyro Forum Genius

    Messages:
    368
    Likes Received:
    20
    Trophy Points:
    260
    Location:
    India
    I believe in older MySQL versions there was a string function mysql_real_escape_string() which had a vulnerability with bad Unicode characters even though the input was properly filtered for escape characters.

    Not so obsolete, there have been many recent highly publicised cases where SQL injections has been succesfully used to breach website's securities. I remember reading up in news last year in August when UN's website was defaced with SQL injection attacks.