(excerpted from first link below)
To SQL inject and use PL/SQL packages, procedure or functions really requires a case of dynamic PL/SQL. If a form or application builds and executes dynamic PL/SQL in the same manner as described above, the same techniques can be used to insert calls to standard PL/SQL packages on any PL/SQL packages or functions that exist in the schema.
So, is the argument presented on this thread that the use of DBI is equivalent to the use of stored procedures in terms of creating opportunities to SQL inject? Are you saying that, even though I use _no_ stored procedures in this DB, I am at risk because I am interfacing to it with DBI? Or are you being really careful, telling me this "just in case" I _am_ using stored procedures?
Thx,
Dave A.
Tim Bunce wrote:
On Sun, Sep 28, 2003 at 10:36:21AM +1000, Ron Savage wrote:
On Sat, 27 Sep 2003 01:53:46 -0700, Dave Anderson wrote:
Hi Dave
In case no-one mentioned it yet, you can read about SQL injection attacks here:
http://www.securityfocus.com/infocus/1644
This is a superb article.
And here: http://www.nextgenss.com/research/papers.html
Tim.
p.s. Both URLs are in the DBI docs.
