Security Basics mailing list archives

Is sql-injection possible in following code

From: sk <sk10_0 () yahoo com>
Date: Sat, 15 Aug 2009 00:16:58 +0530 (IST)

Is sql-injection is possible in following procedure if yes then how .. I tried some sql injection techniques but 
nothing worked. it is for oracle database

CREATE OR REPLACE PROCEDURE demo( MyID IN VARCHAR2) AS 
     Employee_rec Employee%ROWTYPE;
BEGIN
DBMS_OUTPUT.PUT_LINE(MyID);
     SELECT * INTO Employee_rec FROM Employee WHERE ID= MyID  ;
     DBMS_OUTPUT.PUT_LINE(Employee_rec.Salary);

     Employee_rec.Salary := 900;

     DBMS_OUTPUT.PUT_LINE(Employee_rec.Salary);
  END;



table used
create table Employee(
     ID                 VARCHAR2(4 BYTE)         NOT NULL,
     First_Name         VARCHAR2(10 BYTE),
     Last_Name          VARCHAR2(10 BYTE),
     Start_Date         DATE,
     End_Date           DATE,
     Salary             Number(8,2),
     City               VARCHAR2(10 BYTE),
     Description        VARCHAR2(15 BYTE)
   )
   /
insert into Employee(ID,  First_Name, Last_Name, Start_Date,                    End_Date,    

                   Salary,  City,       Description)
 values ('01','Jason',    'Martin',  to_date('19960725','YYYYMMDD'), 

to_date('20060725','YYYYMMDD'), 1234.56, 'Toronto',  'Programmer')
    /
insert into Employee(ID,  First_Name, Last_Name, Start_Date,                     End_Date,   

                    Salary,  City,       Description)
values('02','Alison',   'Mathews', to_date('19760321','YYYYMMDD'), 

to_date('19860221','YYYYMMDD'), 6661.78, 'Vancouver','Tester')

Regards
Sumit

/


      Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. 
http://downloads.yahoo.com/in/internetexplorer/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Is sql-injection possible in following code sk (Aug 14)
- Re: Is sql-injection possible in following code Terra Frost (Aug 18)
  - Re: Is sql-injection possible in following code sk (Aug 18)
  - Re: Is sql-injection possible in following code Fabien Vincent (Aug 18)
- <Possible follow-ups>
- Re: Re: Is sql-injection possible in following code dan . crowley (Aug 19)