Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
  SQL Server Tips by Burleson

SQL injection in dynamic SQL

SQL injection is not exclusive to web applications, any application is vulnerable if SQL code is put together with user input as part of it and no security measures. An SP that uses dynamic SQL might be subject to this kind of attack as well.

The SP validate_user will authenticate the users by retrieving the user name from the user table, filtered by login name and password. If the user name is NULL it means that the input log name and password have no match in the database. Therefore, the user would not be authenticated.

CREATE PROCEDURE validate_user @logname varchar(50), @password varchar(20)
AS
set nocount on
DECLARE @SQL NVARCHAR(4000), @name varchar(50)
SET @SQL='select @uname=username from Table_users WHERE logname='''+@logname+''' AND userpassword='''+@password+''''
PRINT @SQL
EXECUTE sp_executesql @SQL, N'@uname varchar(50) out', @name out
IF NOT (@name IS NULL)
SELECT 'Welcome '+@name+'!'
ELSE
SELECT 'User not authenticated!'


The SP will also print the SQL statement that will run within, so that it will be easier to understand how the query is modified.

This is a call with the correct log name and password:

EXEC validate_user 'mike', 'a1234'

All the techniques already examined are still possible, the only difference is that some single quotes will have to be doubled:

EXEC validate_user ''' OR 1=1--', ''
EXEC validate_user ''' OR ''''=''', ''' OR ''''='''
Etc…


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm  

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks
 

Hit Counter