Free Oracle Tips

HTML Text

Home
E-mail Us
Oracle Articles

Oracle Training
Oracle News
Oracle Forum
Class Catalog

Our Staff
Our Prices
Help Wanted!

Remote DBA
Oracle Tuning
Emergency 911
RAC Support
Apps Support
Analysis
Design
Implementation
Oracle Support

SQL Tuning
Security
UNIX
Oracle UNIX
Linux
Oracle Linux
Monitoring
Remote help
Remote plans
Remote services
Oracle C++
Oracle Java
Apache
JDeveloper
App Server
Applications
Oracle Forms
Oracle Portal
11i Upgrades
SQL Server
Oracle Concepts
HTML-DB Tips
Software Help
Remote Help
Development
Implementation

Financials Training
Oracle 11i
Oracle Apps 11i
Oracle Workflow
Oracle AR 11i Class
Oracle AP 11i class
Oracle GL 11i class
Oracle HR 11i class
Oracle FA 11i class
11i Project Mgt
11i procurement
11i collections

Oracle Posters
Oracle Books
Oracle Tuning Book
Oracle RAC Book
Oracle Security
Easy Oracle Books
Oracle Scripts
SQL Server DBA
SQL Design Patterns
WISE
Excel-DB

BC Oracle News

Rednecks!
Dress code
Arabian Stallion
Burleson Arabians
Guide Horses
Don Burleson Blog
Golf & Travel

Privacy Policy

Linda Webb

Got breaking Oracle news? E-Mail me!

Click here for more Oracle News Headlines

Do semicolons in SQL expose your database to injection attacks?

QUESTION:

I've noticed that when you write SQL statements to execute over JDBC with Oracle 10g, you're not supposed to include the typical ending semicolon. For example, you're supposed to just write:

"SELECT * FROM MYTABLE"

I was wondering if one reason for this is to cut down on SQL Injection attacks like those mentioned here:

http://www.tek-tips.com/viewthread.cfm?qid=940825&page=1

ANSWER:

Great question!

From XKCD

Answer from my research: In SQL SERVER, yes. In Oracle, no!

****************************************************

http://www.webcohort.com/web_application_security/research/white_papers/blindfolded_sql_server_injection.html

Another technique uses the semicolon character. In SQL, a semicolon is used to chain several SQL statements in the same line. While with SQL injection this can be used inside the injection code, the Oracle drivers do not allow use of semicolons in this manner.

****************************************************

http://online.securityfocus.com/infocus/1644

Statements in Oracle tools and languages are delimited by semicolons (;) so we can try that next:

SQL> exec get_cust('x'';select username from all_users where ''x''=''x');
debug:select customer_phone from customers where customer_surname='x';select
username from all_users where 'x'='x'
-911ORA-00911: invalid character

Again this doesn’t work, as another Oracle error code is returned. Adding a semicolon after the first statement will not allow a second statement to be executed, so the only way to get Oracle to execute extra SQL is to either extend the existing where clause or to use a union or a subselect.

*******************************************************

http://www.imperva.com/application_defense_center/glossary/sql_injection.html

http://www.mydomain.com/products/products.asp?productid=123;DROP TABLE Products

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.

Need an Oracle Health Check?

Do you have bad performance after an upgrade?
Need to certify that your database follows best practices?

BC Oracle performance gurus can quickly certify every aspect of your Oracle database and provide a complete verification that your database is fully optimized.

Hit Counter

Oracle performance Tuning 10g reference poster

Oracle training & performance tuning books

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.
Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata? Oracle technology is changing and we strive to update our BC Oracle support information. If you find an error or have a suggestion for improving our content, we would appreciate your feedback. Just e-mail: and include the URL for the page.

Burleson Consulting

The Oracle of database support

Oracle® is the registered trademark of Oracle Corporation.