All geek questions in one place

How can PHP deactivate user input for a SQL DDL statement?

I need to update the user password with PHP, this is done using the ALTER USER statement. I cannot use prepared statements because they do not support DDL commands. The username field can be easily sanitized to make sure it matches the alphanumeric regular expression, but I cannot determine a safe way to sanitize the password.

How should I do it?

I know that the situation is not perfect, but I do not call it shots. I'm just trying to keep it as safe as possible.

EDIT: Here is an example of what I'm trying to run

ALTER USER myusername IDENTIFIED BY mynewpassword1

This works successfully in SQL Developer, and I could get it to work through concatenation, but I hope to avoid that.

+4
source share
1 answer

Pass the input to the PL / SQL block binding variable and concatenate inside PL / SQL after use DBMS_ASSERT.ENQUOTE_NAMEto validate the input.

(The original poster understands the dangers of this approach, but it is worth repeating it: this is usually not a good idea. Always avoid building SQL queries with concatenation when possible. 99.9% of the time this can be done using old old variables bindings There are many hidden ways to do SQL injection when strings are combined.)

declare
    v_quoted_string varchar2(100);
begin
    v_quoted_string := dbms_assert.enquote_name(:v_new_password, capitalize => false);
    execute immediate 'alter user myusername identified by '||v_quoted_string;
end;
/

If the user tries to break out of the name, using a double quotation mark, an exception will be raised: ORA-44003: invalid SQL name.

+2
source

Source: https://habr.com/ru/post/1678898/

More articles:


All Articles