SlideShare a Scribd company logo

SQL Injections - Oracle

Ram Kedem
Ram Kedem

This document discusses SQL injections and how to avoid them in Oracle databases. It covers using explicitly bound arguments with dynamic SQL, validating and sanitizing input, and considering the use of invoker's rights instead of definer's rights. The goals are to explain what a SQL injection is with a basic example, how to avoid them, and the differences between invoker and definer rights.

Technology
1 of 22
SQL Injections - Oracle Ram Kedem Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Lesson Goals • What is a SQL Injection – basic example • Avoiding SQL Injections • Using Invoker and Definer Rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
SQL Injection – Basic Example Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
SQL Injection – Basic Example Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Avoiding SQL Injection • To immunize your code against SQL injection attacks, • Use bind arguments explicitly with dynamic SQL. • Use bind arguments automatically with static SQL. • Validate and sanitize all input concatenated to dynamic SQL (DBMS_ASSERT). • Consider using Invoker’s rights. Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Explicitly bind arguments with dynamic SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent
Explicitly bind arguments with dynamic SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Avoiding SQL Injection using DBMS_ASSERT Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Avoiding SQL Injection using DBMS_ASSERT Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Invoker and Definer rights • Definer’s rights: • Programs execute with the privileges of the creating user. • A user does not require privileges on underlying objects the procedure accesses. • Only requires privilege to execute a procedure. • Invoker’s rights: • Programs execute with the privileges of the calling user. • A user requires privileges on the underlying objects the procedure accesses. • There is no need for duplication of code. A single compiled program unit can be made to use schema A's objects when invoked by User A and schema B's objects when invoked by User B. • This way, we have the option of creating a code repository in one place and sharing it with various production users. Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Definer’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Definer’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Invoker’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Invoker’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Change Password Procedure Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Change Password Procedure Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
Use Invoker's right Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com

Recommended

Control Flow Using SSIS
Control Flow Using SSISControl Flow Using SSIS
Control Flow Using SSISRam Kedem
 
SSAS Attributes
SSAS AttributesSSAS Attributes
SSAS AttributesRam Kedem
 
SSAS Cubes & Hierarchies
SSAS Cubes & HierarchiesSSAS Cubes & Hierarchies
SSAS Cubes & HierarchiesRam Kedem
 
Deploy SSIS
Deploy SSISDeploy SSIS
Deploy SSISRam Kedem
 
SSIS Incremental ETL process
SSIS Incremental ETL processSSIS Incremental ETL process
SSIS Incremental ETL processRam Kedem
 
Data mining In SSAS
Data mining In SSASData mining In SSAS
Data mining In SSASRam Kedem
 
SSIS Basic Data Flow
SSIS Basic Data FlowSSIS Basic Data Flow
SSIS Basic Data FlowRam Kedem
 
SSRS Matrix
SSRS MatrixSSRS Matrix
SSRS MatrixRam Kedem
 

Recommended

Control Flow Using SSIS
Control Flow Using SSISControl Flow Using SSIS
Control Flow Using SSISRam Kedem
 
SSAS Attributes
SSAS AttributesSSAS Attributes
SSAS AttributesRam Kedem
 
SSAS Cubes & Hierarchies
SSAS Cubes & HierarchiesSSAS Cubes & Hierarchies
SSAS Cubes & HierarchiesRam Kedem
 
Deploy SSIS
Deploy SSISDeploy SSIS
Deploy SSISRam Kedem
 
SSIS Incremental ETL process
SSIS Incremental ETL processSSIS Incremental ETL process
SSIS Incremental ETL processRam Kedem
 
Data mining In SSAS
Data mining In SSASData mining In SSAS
Data mining In SSASRam Kedem
 
SSIS Basic Data Flow
SSIS Basic Data FlowSSIS Basic Data Flow
SSIS Basic Data FlowRam Kedem
 
SSRS Matrix
SSRS MatrixSSRS Matrix
SSRS MatrixRam Kedem
 
Unite 8 carotte bâton
Unite 8 carotte bâtonUnite 8 carotte bâton
Unite 8 carotte bâtonAmélie Baillargeon
 
Growth-mindset-business-model-you
Growth-mindset-business-model-youGrowth-mindset-business-model-you
Growth-mindset-business-model-youbirgittabiz
 
Lecture6
Lecture6Lecture6
Lecture6LGS, GBHS&IC, University Of South-Asia, TARA-Technologies
 
Marknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskapMarknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskapMellstrand
 
Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016FUSADES
 
Tarea del seminario 3
Tarea del seminario 3Tarea del seminario 3
Tarea del seminario 3marisa9773
 
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...Crescando
 
Unite 9 finalite
Unite 9 finaliteUnite 9 finalite
Unite 9 finaliteAmélie Baillargeon
 
Så hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketingSå hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketingCrescando
 
Kona Biometric Card
Kona Biometric CardKona Biometric Card
Kona Biometric CardKona Software Lab Limited.
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 securityRam Kedem
 
spring bed new heaven
spring bed new heavenspring bed new heaven
spring bed new heavensurabaya spring
 
Managing Knowledge and Change
Managing Knowledge and ChangeManaging Knowledge and Change
Managing Knowledge and ChangePeter Bjellerup
 
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...tdc-globalcode
 
Avvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinareAvvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinareRenato Savoia
 
Digital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWSDigital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWSAmazon Web Services
 
RWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data GovernanceRWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data GovernanceDATAVERSITY
 
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...Kyong-Ha Lee
 
SSIS Data Flow Tasks
SSIS Data Flow Tasks SSIS Data Flow Tasks
SSIS Data Flow Tasks Ram Kedem
 
Data Mining in SSAS
Data Mining in SSASData Mining in SSAS
Data Mining in SSASRam Kedem
 
Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014Ram Kedem
 
SSRS Basic Parameters
SSRS Basic ParametersSSRS Basic Parameters
SSRS Basic ParametersRam Kedem
 

More Related Content

Viewers also liked

Growth-mindset-business-model-you
Growth-mindset-business-model-youGrowth-mindset-business-model-you
Growth-mindset-business-model-youbirgittabiz
 
Marknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskapMarknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskapMellstrand
 
Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016FUSADES
 
Tarea del seminario 3
Tarea del seminario 3Tarea del seminario 3
Tarea del seminario 3marisa9773
 
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...Crescando
 
Så hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketingSå hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketingCrescando
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 securityRam Kedem
 
Managing Knowledge and Change
Managing Knowledge and ChangeManaging Knowledge and Change
Managing Knowledge and ChangePeter Bjellerup
 
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...tdc-globalcode
 
Avvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinareAvvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinareRenato Savoia
 
Digital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWSDigital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWSAmazon Web Services
 
RWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data GovernanceRWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data GovernanceDATAVERSITY
 
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...Kyong-Ha Lee
 

Viewers also liked (18)

Unite 8 carotte bâton
Unite 8 carotte bâtonUnite 8 carotte bâton
Unite 8 carotte bâton
 
Growth-mindset-business-model-you
Growth-mindset-business-model-youGrowth-mindset-business-model-you
Growth-mindset-business-model-you
 
Lecture6
Lecture6Lecture6
Lecture6
 
Marknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskapMarknadskommunikation i ett förändrat medielandskap
Marknadskommunikation i ett förändrat medielandskap
 
Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016Agenda semana global de emprendimiento 2016
Agenda semana global de emprendimiento 2016
 
Tarea del seminario 3
Tarea del seminario 3Tarea del seminario 3
Tarea del seminario 3
 
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
B2B Inbound Summit: 5 steg till en Content Marketing-plan som fungerar i prak...
 
Unite 9 finalite
Unite 9 finaliteUnite 9 finalite
Unite 9 finalite
 
Så hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketingSå hjälper du dina kunder att köpa med smart content marketing
Så hjälper du dina kunder att köpa med smart content marketing
 
Kona Biometric Card
Kona Biometric CardKona Biometric Card
Kona Biometric Card
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 security
 
spring bed new heaven
spring bed new heavenspring bed new heaven
spring bed new heaven
 
Managing Knowledge and Change
Managing Knowledge and ChangeManaging Knowledge and Change
Managing Knowledge and Change
 
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
TDC2016POA | Trilha BigData - Orquestrando Hadoop, Cassandra e MongoDB com o ...
 
Avvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinareAvvocati: le sanzioni e il procedimento disciplinare
Avvocati: le sanzioni e il procedimento disciplinare
 
Digital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWSDigital Media Ingest and Storage Options on AWS
Digital Media Ingest and Storage Options on AWS
 
RWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data GovernanceRWDG Webinar: Achieving Data Quality Through Data Governance
RWDG Webinar: Achieving Data Quality Through Data Governance
 
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
HadoopXML: A Suite for Parallel Processing of Massive XML Data with Multiple ...
 

Similar to SQL Injections - Oracle

SSIS Data Flow Tasks
SSIS Data Flow Tasks SSIS Data Flow Tasks
SSIS Data Flow Tasks Ram Kedem
 
Data Mining in SSAS
Data Mining in SSASData Mining in SSAS
Data Mining in SSASRam Kedem
 
Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014Ram Kedem
 
SSRS Basic Parameters
SSRS Basic ParametersSSRS Basic Parameters
SSRS Basic ParametersRam Kedem
 
Power Pivot and Power View
Power Pivot and Power ViewPower Pivot and Power View
Power Pivot and Power ViewRam Kedem
 
Working with Controllers and Actions in MVC
Working with Controllers and Actions in MVCWorking with Controllers and Actions in MVC
Working with Controllers and Actions in MVCLearnNowOnline
 
MSSQL Server - Automation
MSSQL Server - AutomationMSSQL Server - Automation
MSSQL Server - AutomationRam Kedem
 
Open source Cloud Automation Platform
Open source Cloud Automation PlatformOpen source Cloud Automation Platform
Open source Cloud Automation PlatformKishore Neelamegam
 
What's new in Silverlight 5
What's new in Silverlight 5What's new in Silverlight 5
What's new in Silverlight 5LearnNowOnline
 
Redefining Perspectives edition 12 and 13 session 2
Redefining Perspectives edition 12 and 13 session 2Redefining Perspectives edition 12 and 13 session 2
Redefining Perspectives edition 12 and 13 session 2sapientindia
 
Building share point apps with angularjs
Building share point apps with angularjsBuilding share point apps with angularjs
Building share point apps with angularjsAhmed Elharouny
 
Application patterns
Application patternsApplication patterns
Application patternstomi vanek
 
SSRS Conditional Formatting
SSRS Conditional FormattingSSRS Conditional Formatting
SSRS Conditional FormattingRam Kedem
 
Couchbase usage at Symantec
Couchbase usage at SymantecCouchbase usage at Symantec
Couchbase usage at Symantecgauravchandna
 
Coordinating Micro-Services with Spring Cloud Contract
Coordinating Micro-Services with Spring Cloud ContractCoordinating Micro-Services with Spring Cloud Contract
Coordinating Micro-Services with Spring Cloud ContractOmri Spector
 
Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Michael Elder
 
Deploying WebRTC successfully – A web developer perspective
Deploying WebRTC successfully – A web developer perspectiveDeploying WebRTC successfully – A web developer perspective
Deploying WebRTC successfully – A web developer perspectiveDialogic Inc.
 

Similar to SQL Injections - Oracle (20)

SSIS Data Flow Tasks
SSIS Data Flow Tasks SSIS Data Flow Tasks
SSIS Data Flow Tasks
 
Data Mining in SSAS
Data Mining in SSASData Mining in SSAS
Data Mining in SSAS
 
Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014Deploy SSRS Project - SQL Server 2014
Deploy SSRS Project - SQL Server 2014
 
SSRS Basic Parameters
SSRS Basic ParametersSSRS Basic Parameters
SSRS Basic Parameters
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
 
Power Pivot and Power View
Power Pivot and Power ViewPower Pivot and Power View
Power Pivot and Power View
 
Working with Controllers and Actions in MVC
Working with Controllers and Actions in MVCWorking with Controllers and Actions in MVC
Working with Controllers and Actions in MVC
 
MSSQL Server - Automation
MSSQL Server - AutomationMSSQL Server - Automation
MSSQL Server - Automation
 
Salesforce.com Training Course Agenda
Salesforce.com Training Course AgendaSalesforce.com Training Course Agenda
Salesforce.com Training Course Agenda
 
Open source Cloud Automation Platform
Open source Cloud Automation PlatformOpen source Cloud Automation Platform
Open source Cloud Automation Platform
 
What's new in Silverlight 5
What's new in Silverlight 5What's new in Silverlight 5
What's new in Silverlight 5
 
Redefining Perspectives edition 12 and 13 session 2
Redefining Perspectives edition 12 and 13 session 2Redefining Perspectives edition 12 and 13 session 2
Redefining Perspectives edition 12 and 13 session 2
 
Building share point apps with angularjs
Building share point apps with angularjsBuilding share point apps with angularjs
Building share point apps with angularjs
 
Community day _aws_ci_cd_v0.2
Community day _aws_ci_cd_v0.2Community day _aws_ci_cd_v0.2
Community day _aws_ci_cd_v0.2
 
Application patterns
Application patternsApplication patterns
Application patterns
 
SSRS Conditional Formatting
SSRS Conditional FormattingSSRS Conditional Formatting
SSRS Conditional Formatting
 
Couchbase usage at Symantec
Couchbase usage at SymantecCouchbase usage at Symantec
Couchbase usage at Symantec
 
Coordinating Micro-Services with Spring Cloud Contract
Coordinating Micro-Services with Spring Cloud ContractCoordinating Micro-Services with Spring Cloud Contract
Coordinating Micro-Services with Spring Cloud Contract
 
Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)
 
Deploying WebRTC successfully – A web developer perspective
Deploying WebRTC successfully – A web developer perspectiveDeploying WebRTC successfully – A web developer perspective
Deploying WebRTC successfully – A web developer perspective
 

More from Ram Kedem

Impala use case @ edge
Impala use case @ edgeImpala use case @ edge
Impala use case @ edgeRam Kedem
 
Advanced SQL Webinar
Advanced SQL WebinarAdvanced SQL Webinar
Advanced SQL WebinarRam Kedem
 
Managing oracle Database Instance
Managing oracle Database InstanceManaging oracle Database Instance
Managing oracle Database InstanceRam Kedem
 
DDL Practice (Hebrew)
DDL Practice (Hebrew)DDL Practice (Hebrew)
DDL Practice (Hebrew)Ram Kedem
 
DML Practice (Hebrew)
DML Practice (Hebrew)DML Practice (Hebrew)
DML Practice (Hebrew)Ram Kedem
 
Exploring Oracle Database Architecture (Hebrew)
Exploring Oracle Database Architecture (Hebrew)Exploring Oracle Database Architecture (Hebrew)
Exploring Oracle Database Architecture (Hebrew)Ram Kedem
 
Introduction to SQL
Introduction to SQLIntroduction to SQL
Introduction to SQLRam Kedem
 
Introduction to Databases
Introduction to DatabasesIntroduction to Databases
Introduction to DatabasesRam Kedem
 
Pig - Processing XML data
Pig - Processing XML dataPig - Processing XML data
Pig - Processing XML dataRam Kedem
 
SSRS Calculated Fields
SSRS Calculated FieldsSSRS Calculated Fields
SSRS Calculated FieldsRam Kedem
 
Data Warehouse Design Considerations
Data Warehouse Design ConsiderationsData Warehouse Design Considerations
Data Warehouse Design ConsiderationsRam Kedem
 
Data Warehouse Basics
Data Warehouse BasicsData Warehouse Basics
Data Warehouse BasicsRam Kedem
 

More from Ram Kedem (14)

Impala use case @ edge
Impala use case @ edgeImpala use case @ edge
Impala use case @ edge
 
Advanced SQL Webinar
Advanced SQL WebinarAdvanced SQL Webinar
Advanced SQL Webinar
 
Managing oracle Database Instance
Managing oracle Database InstanceManaging oracle Database Instance
Managing oracle Database Instance
 
DDL Practice (Hebrew)
DDL Practice (Hebrew)DDL Practice (Hebrew)
DDL Practice (Hebrew)
 
DML Practice (Hebrew)
DML Practice (Hebrew)DML Practice (Hebrew)
DML Practice (Hebrew)
 
Exploring Oracle Database Architecture (Hebrew)
Exploring Oracle Database Architecture (Hebrew)Exploring Oracle Database Architecture (Hebrew)
Exploring Oracle Database Architecture (Hebrew)
 
Introduction to SQL
Introduction to SQLIntroduction to SQL
Introduction to SQL
 
Introduction to Databases
Introduction to DatabasesIntroduction to Databases
Introduction to Databases
 
Pig - Processing XML data
Pig - Processing XML dataPig - Processing XML data
Pig - Processing XML data
 
SSRS Gauges
SSRS GaugesSSRS Gauges
SSRS Gauges
 
SSRS Calculated Fields
SSRS Calculated FieldsSSRS Calculated Fields
SSRS Calculated Fields
 
SSRS Groups
SSRS GroupsSSRS Groups
SSRS Groups
 
Data Warehouse Design Considerations
Data Warehouse Design ConsiderationsData Warehouse Design Considerations
Data Warehouse Design Considerations
 
Data Warehouse Basics
Data Warehouse BasicsData Warehouse Basics
Data Warehouse Basics
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

SQL Injections - Oracle

  • 1. SQL Injections - Oracle Ram Kedem Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 2. Lesson Goals • What is a SQL Injection – basic example • Avoiding SQL Injections • Using Invoker and Definer Rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 3. SQL Injection – Basic Example Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 4. SQL Injection – Basic Example Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 5. Avoiding SQL Injection • To immunize your code against SQL injection attacks, • Use bind arguments explicitly with dynamic SQL. • Use bind arguments automatically with static SQL. • Validate and sanitize all input concatenated to dynamic SQL (DBMS_ASSERT). • Consider using Invoker’s rights. Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 6. Explicitly bind arguments with dynamic SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent
  • 7. Explicitly bind arguments with dynamic SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 8. Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 9. Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 10. Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 11. Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 12. Automatic bind variables with static SQL Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 13. Avoiding SQL Injection using DBMS_ASSERT Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 14. Avoiding SQL Injection using DBMS_ASSERT Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 15. Invoker and Definer rights • Definer’s rights: • Programs execute with the privileges of the creating user. • A user does not require privileges on underlying objects the procedure accesses. • Only requires privilege to execute a procedure. • Invoker’s rights: • Programs execute with the privileges of the calling user. • A user requires privileges on the underlying objects the procedure accesses. • There is no need for duplication of code. A single compiled program unit can be made to use schema A's objects when invoked by User A and schema B's objects when invoked by User B. • This way, we have the option of creating a code repository in one place and sharing it with various production users. Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 16. Definer’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 17. Definer’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 18. Invoker’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 19. Invoker’s rights Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 20. Change Password Procedure Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 21. Change Password Procedure Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com
  • 22. Use Invoker's right Copyright 2014 © Ram Kedem. All rights reserved. Not to be reproduced without written consent Ramkedem.com