One thought on “CFCamp 2012 – Germany

  1. Input validation is not easy. Just chkiecng if p_tname is a valid oracle identifier is often not sufficient. Sometimes you can bypass this kind of validation by creating an object called “‘ or 1=user1.f1–” and inject this into a function/procedure. Or developers (e.g from Oracle in 10.2.0.3 in 2007) are using dbms_assert incorrectly, …. I don’t cast stones, I just want to highlight that nobody is perfect and most people wrote insecure code in the past (you, me, Oracle, all developers). Developers often forget their old development “sins”.From my experience I know that many developers never heard of sql injection.You do not know how old the code from the bank is, who wrote the code (Oracle consulting, …), …I’m still looking for a guide: “How to do input validation in Oracle if bind variables are not possible”. Is there something like that on asktom?

Leave a Reply