Should I pass the where clause as a parameter that will prevent SQL injection?

Question

Should I pass the where clause as a parameter that will prevent SQL injection?

I created Oracle proc, where I create a dynamic SQL query based on the parameters provided by proc.

I have done some testing, and it seems that I cannot perform SQL injection.

Is there anything extra I should be safe with?

SELECT 'UPDATE ' || p_table || ' SET MY_FIELD =  ''' || p_Value || ''' ' || p_Where
            INTO query_string
            FROM DUAL;

EDIT:

Scenarios that I've tried.
1. WHERE SOME_VAL IN ('AAA','BBB') - This works
2. WHERE SOME_VAL IN ('AAA','BBB') OR SOME_VAL2 = '123' - This works.
3. WHERE SOME_VAL IN ('AAA','BBB'); DROP TABLE TEST_TABLE; - This errors out.
4. WHERE SOME_VAL IN ('AAA','BBB') OR (DELETE FROM TEST_TABLE) - This errors out.

+4

sql oracle sql-injection

John doe May 03 '17 at 18:14

source share

2 answers

alpeshpandya · Answer 1 · 2017-05-03T18:28:51+0000

, . SQL -, . . , -.

, , .

, p_table table_name . , case . , , db.

CREATE OR REPLACE PROCEDURE test_proc(table_name IN VARCHAR)
  IS
  p_table varchar2(100);
BEGIN

  CASE table_name 
     WHEN 'A' THEN p_table:='db_table_a';
     WHEN 'B' THEN p_table:='db_table_b';
     ELSE RAISE 'Invalid table name parameter';
  END CASE;
  SELECT 'UPDATE ' || p_table || ' SET MY_FIELD =  ''' || p_Value || ''' ' 
         || p_Where
        INTO query_string
        FROM DUAL; 
END;

.

Jon Heller · Answer 2 · 2017-05-09T05:53:54+0000

SQL- Pandora.

, SQL. SQL , . ( , , , , . Oracle .)

, . , , , , .

.

drop table test1;

create table test1(my_field varchar2(100), some_val varchar2(100));
insert into test1 values('A', 'AAA');
commit;

,

?

create or replace function dangerous_function return number is
    pragma autonomous_transaction;
begin
    delete from test1;
    commit;
    return 1;
end;
/

, ?

--Safe static part:
update test1
set my_field = 'b'
--Dangerous dynamic part:
where some_val IN ('AAA')
    and 1 = (select dangerous_function from dual)

, , , , . , ?

SQL

, UPDATE DML:

--Safe static part:
update --+ WITH_PLSQL
test1
set my_field = 'b'
--Dangerous dynamic part:
where some_val IN ('AAA')
    and 1 = (
        with function dangerous_function return number is
            pragma autonomous_transaction;
        begin
            delete from test1;
            commit;
            return 1;
        end;
        select dangerous_function from dual
    );

, --+ WITH_PLSQL. ORA-32034: unsupported use of WITH clause. , . - , .

?

, . ? SQL-. , .

Should I pass the where clause as a parameter that will prevent SQL injection?

,

SQL

?

More articles: