File Library

SQL Injection Attacks and Defenses
Topic: Application Express
Owner: Tim Austwick
Date: 2013-07-01
Subtopic: Tips and Techniques

The presentation is structured as follows:

- Introduction
- Overview of generic SQL Injection vulnerabilities
- Demonstration 1 - SQL Injection in an Apex application due to insecure PL/SQL in report definition
- Demonstration 2 - SQL Injection in an Apex application due to substitution variables in item source definition
- Common types of SQL Injection in Apex applications, with code examples and remediation guidance:
- Execute Immediate
- Dynamic Cursors
- Function Returning SQL Query
- Substitution Variables
- Summary and Questions

The demonstrations serve to exhibit the problem of SQL Injection and the power of such security vulnerabilities in Apex applications. Then each type of SQL Injection in Apex applications will be presented with details on how to refactor the PL/SQL code to ensure the application is no longer vulnerable. The demonstrations and samples are sanitised versions of real-world code that we have seen while performing security consultancy for our customers.

Download File   TimAustwick.SQLInjectionInAPEX.pdf

Become a member of ODTUG to gain access to more than 12,500 files in our technical database.

  • Not a member? Click through to the topic of interest to browse a list of available presentations.
  • Already a member? Log-in here to access the full database

Click here to see the Full Techincal Resource Database