Following query gets executed in my program, where 'a' is the parameter value which I am taking as input & passing it in query.select * from emp where name LIKE LOWER('%a%')
Can anybody tell me whether I can do SQL injection attack on above query or is it safe?
I have seen SQL injection with where clause & like operator but can we do it with function call as well. What can I pass as the instead of 'a' for SQL injection.
I am using PL/SQL editor & Oracle DB.
Risk of SQL-injection appears when your application interacts with environment (other program or user) and assembles SQL query from parts using string concatenation. For example, you can write PL/SQL procedure:create or replace procedure myproc(a varchar2) is sql_str varchar2(4000); sql_result number; begin execute immediate 'select count(*) from mytable where mycolumn = ' || a into sql_result; end;
This procedure is vulnerable. You can pass there a string ''abc''' or 1 = 1 or anything like this and it distorts result (or made something worse).
Or you can write it like this:create or replace procedure myproc(a varchar2) is sql_str varchar2(4000); sql_result number; begin execute immediate 'select count(*) from mytable where mycolumn = :A' using a into sql_result; end;
And this procedure is not vulnerable.
Also you can writecreate or replace procedure myproc(a varchar2) is sql_str varchar2(4000); sql_result number; begin select count(*) into sql_result from mytable where mycolumn = a; end;
Here is no problems at all, it is the most secure way (it is "static SQL"), but sometimes we need dynamic SQL (like in first two examples).
Why first way is bad and second is good? It is because SQL engine compiles queries almost like other compilers compile their code, like C++ for example. SQL engine compiles query as a "program" and defines possible "variables" in this "program". "Variable" in second procedure is the parameter :A . If query contains "variables", engine asks their values ( USING clause) and passes them into compiled query. In first case engine gets concatenated string:select count(*) from mytable where mycolumn = 'abc' or 1 = 1
considers it like a whole "program" and executes it "as is". In second case engine gets stringselect count(*) from mytable where mycolumn = :A
compiles it, defines 1 "variable" A and asks it value, and then passes it to a "program", and that "program" just searches value 'abc' or 1 = 1 in column mycolumn . This works not only with dynamic SQL in PL/SQL code. It works the same way in any language, and all popular frameworks (for java, c#, delphi, etc.) and all popular DBMS provide instruments for safe work as in second example.
Of course, it was simplified example, sometimes consequences could be much more worse.