Hands-On Oracle Express Security by Recx

Author:Recx
Language: eng
Format: epub
Publisher: John Wiley & Sons
Published: 2013-04-01T16:00:00+00:00

DYNAMIC SQL – CURSORS

An area where we’ve seen real issues that have potentially devastating effects is where dynamic SQL is used in a cursor. Consider the following vulnerable construct that iterates through the users of a specified type and outputs a simple HTML table:

declare TYPE cur_typ IS REF CURSOR; l_cur cur_typ; l_sql VARCHAR(256); l_data VARCHAR(256); begin htp.p('<table>'); l_sql := 'select dname from dept where deptno = ' || nvl(:P41_DEPTNO,0); open l_cur for l_sql; loop fetch l_cur into l_data; exit when l_cur%NOTFOUND; htp.p('<tr><td>' || l_data || '</td></tr>'); end loop; close l_cur; htp.p('</table>'); end;

The concatenation of P41_DEPTNO to the dynamic SQL statement leads to an exploitable SQL Injection condition, similar to the EXECUTE IMMEDIATE example in the previous section.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.