Re: how to code to avoid SQL insertion attacks

From: steve (me_at_me.com)
Date: 02/19/05 

Date: Sat, 19 Feb 2005 16:19:53 +0800

On Tue, 15 Feb 2005 16:03:17 +0800, bighead4694@hotmail.com wrote
(in article <1108454597.524966.326250@f14g2000cwb.googlegroups.com>):

> My backend DBMS is Oracle.
>

too many Knowledge less idiots in this group, disregard most of the replies
you have been given, they are complete crap.

1.do something like the following:
where "dffdfde.ffdfsreewrw"= 'package.subroutine'
which in reality is:
  String The_qry = "{ ? = call
external_user.PACKAGE_02.return_relations(?,?)}";

now the actual code!!

 String The_qry = "{ ? = call external_user.dffdfde.ffdfsreewrw(?,?)}";
cstmt = (OracleCallableStatement) dbconn.prepareCall(The_qry);

            cstmt.registerOutParameter(1, OracleTypes.CURSOR);
            cstmt.setString(2, "DUMMY");
            cstmt.setint(3,4); // the type of query

then in the oracle database have a package that returns the data, DO NOT
allow any sort of java side sql, other than thru packages.
( even if the hacker ,fools with the above string , they can gain nothing,
because "external user" has no real privs.)

2. also in the package, check the "id" of the current user, ( that is the
"magic" number given to the session, check that against the user that is
submitting the call-ins, and disallow if it is not the same.

3. give the packages some totally meaningless name.
4. pass in "key" flags, not values.
5. give "External_user" NO DIRECT PRIVS, set all routines to security
"auth_definer"