Penetration Testing mailing list archives
RE: PL/SQL web application
From: "Balwant Rathore" <balwant () mahindrabt com>
Date: Wed, 26 Feb 2003 22:59:30 +0530
Date: Wed, 26 Feb 2003 20:55:48 +0530
Hi Naka,
As you say, using bind variable, we can protect against SQL Injection. But, how about XSS? Yes. We can't. (Is this correct?)
As XSS vulnerable web applications takes input and gives output without filtering. Using bind variable you can validate input and give output accordingly. Another way is detailed code review that searches the code for validation for all headers, cookies, query strings, form fields, and hidden fields(i.e., all parameters) against a rigorous validation of what should be allowed.
Why they choosed PL/SQL for programming language? I cannot understand.
Stored PL/SQL is faster because it parses only ones and resides in main memory and further request doesn't require re-parsing. For example if a 100 line SQL statement accessed by 100 clients. It has to compile 100 x 100 times. Same thing can be achieved in PL/SQL block in compiling only once. Rich family of In-built function also makes it faster as compare to other languages. ItÂ’s good to perform DML operations in PL/SQL rather than using methods of other languages, as they require heavy processing to perform the same actions. Balwant Rathore, CISSP Security Practices Group, Mahindra-British Telecom Ltd. Oberoi Estate Gardens, Chandivali, Mumbai - 400 072, India. Tel : +91 22 56922000 Extn - 8010 Fax : +91 22 28528959 Mobile: +91 98208 03333 ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core</A>
Current thread:
- RE: PL/SQL web application Balwant Rathore (Feb 26)
- <Possible follow-ups>
- RE: PL/SQL web application Balwant Rathore (Feb 26)
- Re: PL/SQL web application Alex Russell (Feb 26)