Web and Database Security - SQL Inject info

Similar Messages

• Web form and database security risk

  I'd like to develop an Oracle Form or APEX Form where people don't have to login to use it. Like a registration form on our website, where anyone can fill it out. Ideally, the information entered into the form would be saved to an Oracle table (could use a flat file if database security is an issue). I'm a developer and don't know a lot about the security side.
  I'm thinking we would need a static IP address and an Oracle public password that doesn't expire, since the public doesn't have to login to use the form.
  Is this possible and is it a database or network security risk ?

  An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
  A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
  Justin

• Is there a difference between Web and Database Cache

  What, if any, is the difference between Web Cache and Database Cache?

  There is good documentation in the form of PDF files at the following general URL
  "http://otn.oracle.com/products/ias"
  and specifically at:
  http://technet.oracle.com/docs/products/ias/doc_index.htm
  I have read them all and most things are documented in great detail.
  I'm trying to get the Web Cache working but it core dumps immediately after trying to start it. I had no install errors reported and everything else I have tested seems to work. If you get it working could you please send me a note on anything special you did? I really need the Web Cache to work.

• LabView Programmer working in ACG, 4 years 6 months experience on Machine Vision,Image Processing and Database like SQL.

  Punit Porwal
  Attachments:
  PunitPorwal.doc ‏54 KB

  Hi Adam,
  I am sorry to hear that you have been having such difficulties deploying your application. As far as the licensing goes, you are correct that the Vision RTE includes a license for VAS. You should be able to activate it using the same serial number. If you are unable to activate it using the serial number, you can try generating an activation code here.
  Can you offer some more detail on what is going wrong with the machine vision functions? Are you getting any error messages or warnings? Is your executable stopping? Also, have you tried building a simple executable from one of the examples in the NI Example finder? I am curious if this issue is specific to this executable or if it spans across all machine vision executables. For your reference, here is a White Paper that goes through the steps needed to create an executable using VDM.
  -Erik S
  Applications Engineer
  National Instruments

• Sql injection

  What is SQL Injection?
  SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
  An attack against a database using SQL Injection could be motivated by two primary objectives:
  1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
  2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
  There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
  * JSP
  * ASP
  * XML, XSL and XSQL
  * Javascript
  * VB, MFC, and other ODBC-based tools and APIs
  * Portal, the older WebDB, and other Oracle Web-based applications and API’s
  * Reports, discoverer, Oracle Applications
  * 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
  * Perl and CGI scripts that access Oracle databases
  * many more.
  Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
  The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
  While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
  Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
  1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
  2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
  The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
  [http://www.securityfocus.com/infocus/1644]
  how oracle prevent sql injections?

  mango_boy wrote:
  damorgan wrote:
  And they do so using bind variables
  http://www.morganslibrary.org/reference/bindvars.html
  and DBMS_ASSERT
  http://www.morganslibrary.org/reference/dbms_assert.html
  do you have any suggestion for mysql users??Yes. Install Oracle.

• Essbase and database in different server

  Hi,
  It is possible to put the ESSBASE in one server and database(oracle , SQL Server) in another server? It is possible, what are the things i want to do?
  Thanks,
  PC

  Hi,
  Assuming that you've got powerful boxes for this purpose, if you are going to use database server just as a repository database server for say, Planning, then that's fine to have essbase and rdbms on the same server. However, it's not advisable to have essbase on a server where a heavy datawarehouse is co-hosted.
  Alp

• Preventing sql injection attack

  string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
                                OleDbConnection myConnection9 = new OleDbConnection(objConn9);
                                string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
                                OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
                                myCommand9.Parameters.Add(":username", txtUsername.Text);
                                myCommand9.Parameters.Add(":password", txtPassword.Text);
                                myConnection9.Open();
                                myCommand9.ExecuteNonQuery();
                                myConnection9.Close();
  i'm using this code to try to remove the problem of
  users entering a comma or an semi colon and throwing off my query, but its not working...
  is there an easy way to insert text values into oracle 8i
  that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.net

  I may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
  It is only when concatenating a string together to make a sql statement that injection attacks can occur.
  See
  http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
  and search for injection.
  Or just go to
  http://asktom.oracle.com
  and search for "sql injection bind variable" for lots of other references.

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch

• [ask] about oracle sql injection and escalation

  Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
  -- first,i created table users
  create table users (name nvarchar2(50),pass nvarchar2(50))
  -- then i created procedure with system user
  create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
  as
  begin
    insert into users values(u,p);
  end;
  -- grant execute privilege to oc user
  grant execute on adduser to oc
  -- login with user oc and create a procedure
  create or replace procedure sqli
  as
  begin
    execute immediate 'grant dba to oc';
  end;
  -- and then,i run system's procedure
  declare
  begin
    system.adduser('admin','admin'' ; execute immediate  ''declare begin sqli() end;');
  end;
  i hope oracle master help me to i can understand and improving my knowledge
  Thanks

  The best forum for this is probably Forum Home » Java » SQLJ/JDBC
  Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.

• SQL injection and SQLFury

  We have recently had an SQL injection attack on our site.  The web form in question was calling a second cfm with a post command.  The second cfm did the actually db insert. After extensive research and revamping of the web form I believed that I had shut it down rather convincingly. I did the following to secure the form:
  - implemented the cfqueryparam tag on all applicable fields being entered in the form
  - introduced a hidden, random numeric variable for verification before completing the insert; it tests for its existence and if it is numeric
  - consolidated the two cfms into one page so the entry and insert are done in one cfm (to eliminate injection going directly thru insert cfm)
  However, I am still getting intermittent injection errors into my MS SQL table.  I don't believe it is getting in through the revised web form and am at a loss as to how it's getting through.
  I am now at the point that I am looking for a utility that will scan through my site or specific pages to identify SQL injection vulnerabilties.  I found something called SQLFury and downloaded it; however, there is literally no documentation with it and I have no idea how to run it.  I've researched the web and found no assistance on how to use this utility.  Is anyone familiar with this utility or does anyone know of any other utility that will assist with validating ColdFusion methods?
  Any assistance would be very much appreciated.

  Ian:
  Thanks for the information.  The utility is helpful and confirmed for me that my page was secure from SQL injection.  The additional insight you provided has lead me to discover that my issue was not an SQL injection, but a Cross Scripting attack.  A web vulnerability utility from Acunetix helped me determine that.
  Thanks again,
  ...Wes

• Sql Injection- Security

  I have an urgent requirement that has to be implemented with regard to sql Injections.
  My application went for security scanning   process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
  Project Details: Windows application, VS2008
  Data Base: Sql Server 2008.
  Listed out the issues type and its details elaborately:
  Threat 1: During connection initialization 
  SqlConnection  connection = new SqlConnection(connectionString);
  At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below
  private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
   Flaw Information
  Type: Untrusted Initialization 
  Issue: External Control of System or Configuration Setting 
  Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
  Function: int ExecuteNonQuery(string, System.Data.CommandType, string, 
  System.Data.SqlClient.SqlParameter[]) 
  Threat 2 : 
   Type: SQL Injection
   Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
   Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
   Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
  Threat Line:
   1. command.ExecuteNonQuery();
  There are few more similar threats same as above. pointed out the threat line:
  2.  dataReader = command.ExecuteReader();
  3.  adapter.Fill(ds); 
  4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
  I have doubt that the above lines of code are safe from sql injection ? if not how can an attacker attack .
  One more thing like we are not at all passing any hard coded queries to DB. All the inputs are passed as a parameters.
  I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities. 
  Please help me out..... I will be waiting for your valuable support.
  Thanks,
  Purushotham. A

  Thanks for your quick reply....
  We are not passing the hard coded connection string value. We are getting it from Web.config.
  SqlConnection connection = new SqlConnection(connectionString)
  private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];
  when we pass on the connection string value as such is there any chance of threat from attackers.
  Thanks,
  purushotham.A 

• SQL Injections and XSS - Escaping Special Characters

  Hi, hope someone can help in regards to security and SQL Injections and XSS.
  We are using APEX 4.0.2 on Oracle 11.2.0.2.
  1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
  Surely I don't have to manually do each of then.
  Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&amp;&lt;&gt;' in session state and/or the database ?
  2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
  Thx
  Nigel

  Recx Ltd wrote:
  Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
  Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
  Apex applications that share the database with other applications will also be affected.
  The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
  Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use&mdash;see 6(j).
  Promotional posts like this are liable to be removed by the moderators.

• Options to connect SQL Server database securely

  Hello All,
  I am working on one of desktop application and requires very high security features related to database. One thing I require is do not want to store connection string in computer where application is installed i.e(App.Config) file.
  Also do not want to store it securely because during connection establish anyone can sniff the traffic and may capture whole connection string and so SQL server.
  One solution to my problem is build web service layer so that we do not need to concern about database connection. However as I am in middle of development, this option seems last hope for me.
  So I required help about another options that can fulfill my requirement security about SQL server connection string and database.
  Anyone having any idea?
  Regards,
  Dharmesh Solanki

  Hi dmsolanki,
  This forum is to discuss problems of C# development. Your question is not related to the topic of this forum. So I suggestion you post the question in the SQL SERVER forums at
  http://social.msdn.microsoft.com/Forums/en-US/home?forum=sqlsecurity
  It is appropriate and more experts will assist you.
  Thanks.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Database Mirroring and Replication in SQL Server 2008 R2

  I have configured the mirroring and replication between 4 servers (A,B,C,D).i.e, Mirroring between A to B and C to D, Replication between A and C. The configuration was a success and I am able test the replication(B to C) when I have failed over the mirroring
  dbs(A to B). The replication works fine after the mirroring fail over but I am not able to check its status in the Replication monitor. When I am having any insert in a table which is replicated in B, it is reflected back to C..it means the replication is
  working fine.
  Any thought on how I can view the status of replication from mirrored server. I tried adding the publisher in the monitor, but no luck. If I check the snapshot agent status, it says could not retrieve the info, same with the log reader agent status.
  Any suggestions on this please.
  Thanks, Siri

  For example in your case...
  Server A is principal and Server B is Mirror with either Manual or Automatic Failover.
  Server A is replicated to Server B ( publisher & B is subscriber )
  In Server A Database named Test_Mirror_Replication is configured for both mirroring and Replication.
  Now you have failed over your Database 'Test_Mirror_Replication' from Server A to Server B.
  After the Failover Server A will act as Mirror for DB 'Test_Mirror_Replication' & Server B will act as Principal for DB 'Test_Mirror_Replication'
  Hope my understanding is correct ?
  If yes then have you tried monitoring the replication after registering in other instance with current principal database sql instance name ? I mean current Publisher database name sql instance ? not your old sql instance name which was before the mirroring
  role change or failover...
  Hope you are trying with mirror database server name ?
  Raju Rasagounder MSSQL DBA

• SQL script based on hostname and database name?

  I am trying to write a script that I can run on several unix servers and databases that will do different sql statements based on which server and database it is being run in.
  Something like:
  if hostname = 'A' and database name = 'D' then do this
  else if hostname = 'B' and database name = 'F' then do that
  I have tried many diifferent combinations of shell scripts and sql scripts but can't seem to get anything that works.
  Can someone help me out? Thanks.

  Since you are already able to get he db and host info, you are well on your way to branching based on that information. All you need is the basic framework:
  declare
    db VARCHAR2(30);
    host VARCHAR2(30);
    sqlcmd VARCHAR2(4000);
  begin
    select sys_context('userenv','host') host
         , sys_context('userenv','db_name') db_name
      into host
         , db
      from dual;
    case
      when db = 'XE' and host = 'mypc' then
        sqlcmd := q'[local_package.do_something('parm1', :db, :host)]';
        execute IMMEDIATE sqlcmd USING db, host;
      when db = 'DEV' and host in ('serv1','serv2') then
        sqlcmd := q'[different_packge.do_something('parm1', :db, :host)]';
        execute IMMEDIATE sqlcmd USING db, host;
      else
        dbms_output.put_line('unrecognized db/host combination: '||db||', '||host);
    end case;
  end;
  /In this example I've used dynamic SQL since not all instances are guaranteed to have any or all of the package procedures referenced in the dynamic sql. With out the dynamic sql, you would get errors and be unable to run the script on any instance lacking one or more of the reference package procedures..