> That said, SQL Inject attacks /can/ be prevented by doing > proper data cleaning for all queries that use values > generated by outsiders (URL params, forms, etc.) I'm just > saying that Oracle, DB2 and the others prefer to prevent > things at the database level, rather than putting the > security burden on the developer.
Whether you can run multiple queries within a single SQL batch is generally determined by the JDBC drivers (or other database clients) being used, not by the database. It's my understanding that Oracle and DB2 both can accept SQL batches. Generally, Oracle is just as vulnerable to SQL injection attacks as is SQL Server (although for various reasons, the outcomes may often be less bad with Oracle). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236912 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
