Preventing SQL injection attacks
SQL injection is not a design bug, but an intentional malicious practice. Database developers must adopt best practices while writing PL/SQL code. If code modification is not possible, the application interface layer may also work to reduce the attack surface area.
Let's take a brief look at the precautionary measures to minimize injection attacks:
- Check your dynamic SQL: Dynamic SQL query text, which is constructed at runtime and directly uses the user-supplied inputs, creates a pregnable hitch point in the application. You can protect them against injection attacks through either of these techniques:
- Reduce the direct exposure of client inputs to dynamic SQL: You can sanitize and validate the client-supplied inputs before they are used in dynamic SQL. Oracle provides the
DBMS_ASSERTpackage to verify the inputs. - Use bind arguments in dynamic SQL: Database developers are encouraged to make use of bind arguments for multiple reasons and one of them is security...
- Reduce the direct exposure of client inputs to dynamic SQL: You can sanitize and validate the client-supplied inputs before they are used in dynamic SQL. Oracle provides the
