Packt+ | Advance your knowledge in tech

You're reading from Oracle Advanced PL/SQL Developer Professional Guide

Product typeBook

Published inMay 2012

Reading LevelExpert

PublisherPackt

ISBN-139781849687225

Edition1st Edition

Languages

SQL

Tools

Oracle Database

Concepts

Database Programming

Author (1)

Saurabh K. Gupta

Chapter 12. Safeguarding PL/SQL Code against SQL Injection Attacks

Oracle database is, undoubtedly, the uncrowned monarch of "Information Business" across the globe. Though it has narrowed the gap between the expectations and the potential, the question, "Is my information secure?" still hovers the DBMS philosophies. We often discuss the vectors of language strength, performance, storage, and data security. But code vulnerability and security share equal stake in data security. Nevertheless, the strength of SQL and PL/SQL is unquestionable, but vulnerable code writing might motivate a hacker to smuggle through the code and perform vicious manipulations in the data.

In this chapter, we will expand our bandwidth to understand PL/SQL code security. We will understand how "loose code writing" can encompass the code base injection and hence, the data. We will cover the following topics:

SQL injection
- Introduction and understanding
Immunizing SQL injection attacks
- Reducing the attack surface
- Avoiding...

SQL injection—an introduction

SQL injection is a database intrusion that occurs when an unauthorized "malicious" user hacks the PL/SQL code and draws unintended access to the database. Once the code has been cracked, the malicious user can pull out confidential information from the database. There can be many more hazardous consequences of code injection.

In 1998, Rain Forest Puppy (RFP) was the first to identify the "technology vulnerabilities" in his paper "NT Web Technology Vulnerabilities" for "Phrack 54". Later, the injective techniques were studied by many technology experts and evangelists to chalk out the best practices of code writing to dilute such acts. Till date, many application exploitation cases have been registered on account of code injection. For reference, check out http://www.computerworld.com.au/index.php/id;683627551. The applications working with personal information or financial data are more prone to injective attacks.

SQL injection—an overview

In the past, the reason...

Immunizing SQL injection attacks

We will discuss the ways to immunize code against SQL injection in detail. Besides the ways which are listed above, we will discuss some additional tricks too, to reduce SQL injection attacks.

Reducing the attack's surface

Reducing the attack's surface is one of the preventive measures that are proactively used to fight the SQL injection attacks. It aims to minimize the area of operation and visibility of the hackers by controlling the privileges and execution rights of a user on the accessible subprograms. The technique is helpful when a user plays a defined role in an application but is still bestowed with a lot more irrelevant privileges from the admin. The attack perimeter can be reduced by:

Controlling the user privileges
Creating the program units with invoker's rights

Controlling user privileges

The DBA must keep a hawk eye on the roles of the users in the application to prevent any malicious motivation. The availability of additional spare privileges might...

Testing the code for SQL injection flaws

Until now, we discussed the symptoms and remedies of SQL injection. We demonstrated the programming recommendations to mitigate the effects of code injections and smuggles. Assuring code quality and testing play a crucial role in taking preventive measures against hackers. Code testing resources must adopt a concrete strategy to discover and hit upon the code vulnerabilities before it invites an attacker to exploit the database. Now, we will discuss some of the testing considerations to test the code for SQL injection flaws.

Test strategy

A logical and effective test strategy must be employed to discover injection flaws. Of course, there is no magic practice to ooze out all flaws in the code.

The usual code reviews are part of static testing while testing the programs with sample data and inputs come under dynamic testing. These days, static testing has been absorbed into the development stage where developers, their peers and seniors review the code...

Summary

In the chapter, we learned a malicious hacking concept—SQL Injection. We understood the causes of code attack and its impact on the database. We covered the techniques to safeguard an application against the injective attacks through demonstrations and illustrations. At the end of the chapter, we discussed some of the testing considerations to hit the vulnerable areas in the code.

Practice exercise

Which method would you employ to immunize the PL/SQL code against SQL Injection attacks?
1. Replace Dynamic SQLs with Static SQLs.
2. Replace concatenated inputs in Dynamic SQL with binds arguments.
3. Declare the PL/SQL program to be executed by its invoker's rights.
4. Removing string type parameters from the procedure.
Use static SQL to avoid SQL injection when all Oracle identifiers are known at the time of code execution.
1. True
2. False
Choose the impact of SQL injection attacks:
1. Malicious string inputs can extract confidential information.
2. Unauthorized access can drop a database.
3. It can insert ORDER data in EMPLOYEES table.
4. A procedure executed with owners' (SYS) rights can change the password of a user.
Pick the correct strategies to fight against of SQL injection
1. Sanitize the malicious inputs from the application layer with DBMS_ASSERT.
2. Remove string concatenated inputs from the Oracle subprogram.
3. Dynamic SQL should be removed from the stage.
4. Execute a PL/SQL program with its creator's rights.
Statistical...

The rest of the chapter is locked

You have been reading a chapter from

Oracle Advanced PL/SQL Developer Professional Guide

Published in: May 2012Publisher: PacktISBN-13: 9781849687225

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at $15.99/month. Cancel anytime

Author (1)

Saurabh K. Gupta

Saurabh K. Gupta is a seasoned database technologist with extensive experience in designing high performance and highly available database applications. His technology focus has been centered around Oracle Database architecture, Oracle Cloud platform, Database In-Memory, Database Consolidation, Multitenant, Exadata, Big Data, and Hadoop. He has authored the first edition of this book. He is an active speaker at technical conferences from Oracle Technology Network, IOUG Collaborate'15, AIOUG Sangam, and Tech Days. Connect with him on his twitter handle (or SAURABHKG) or through his technical blog www.sbhoracle. wordpress.com, with comments, suggestions, and feedback regarding this book.
Read more about Saurabh K. Gupta

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages