How is SQL injection possible using Bind variables?

Question

How is SQL injection possible using Bind variables?

How is SQL injection possible when using bind variables?

My database administrator says that using bind variables does not completely protect one from SQL injection, but I can’t figure out how it could be, since bind variables, especially for strings, usually force the entered SQL to be a string in WHERE.

Example:

SELECT CUST_ID  
FROM CUST.CUSTOMER 
WHERE FIRST_NAME=:FNAME;

If FNAME="SELECT FNMAME WHERE CUST_ID=10040", in the database the following query will be launched

SELECT CUST_ID 
FROM CUST.CUSTOMER 
WHERE FIRST_NAME="SELECT FNMAME WHERE CUST_ID=10040";

which will return 0 rows.

I browsed the Internet to answer this question and even on this site, but I could not find it.

Thanks again.

+4

sql oracle sql-injection

Fearless future Apr 05 '17 at 15:06

source share

5 answers

"" SQL- . , . , , ( ?).

:

SELECT CUST_ID FROM CUST.CUSTOMER ORDER BY :COLUMNNAME :DIRECTION

., , , , , .

. SQL, , , SQL, ASC/DESC . , , .

, , ?

!

, , SQL , . , .

, " ", , , SQL, , .

SQL Injection Myths and Fallacies. -: https://www.youtube.com/watch?v=VldxqTejybk

+4

Bill Karwin 05 . '17 15:16

, SQL- , , . , SQL, SQL-.

SQL, . SQL , . , : . SQL, : .

+3

trincot 05 . '17 15:19

, Mysql/PDO, Oracle.

, , , .

, , - - , , .

0

Your Common Sense 05 . '17 15:47

, , :

,
DBA insert
execute immediate

... or basically any other code that involves using dynamic SQL with a query string made up of user-supplied data. Even snap options will not help you.

-3

Jiri tousek Apr 05 '17 at 15:20

source share

Marmite Bomber · Accepted Answer · 2017-04-05T19:50:18+0000

, SQL- . BV SQL-.

 'select' + column_list + ' from T where col :1'

, , .

How is SQL injection possible using Bind variables?

More articles: