Penetration Testing mailing list archives
RE: PL/SQL web application
From: "Balwant Rathore" <balwant () mahindrabt com>
Date: Wed, 26 Feb 2003 18:16:53 +0530
Date: Wed, 26 Feb 2003 18:13:48 +0530
Hi Naka,
my target web site doesn't sanitize any input. This means that PL/SQL doesn't have a sanitizing function? I can't use regexp in PL/SQL? If so, I think that PL/SQL isn't suitable for web application.
It's correct that PL/SQL doesn't have any function for sanitizing input. But you can make your own function in PL/SQL using bind variable as input. By using bind variables in PL/SQL Block you can sanitize any input from client. Bind variables session is open only for individual client who has requested that session. They also provide very strong protection against SQL Injections. Balwant Rathore, CISSP Security Practices Group, Mahindra-British Telecom Ltd. Oberoi Estate Gardens, Chandivali, Mumbai - 400 072, India. Tel : +91 22 56922000 Extn - 8010 Fax : +91 22 28528959 Mobile: +91 98208 03333 ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core</A>
Current thread:
- RE: PL/SQL web application Balwant Rathore (Feb 26)
- <Possible follow-ups>
- RE: PL/SQL web application Balwant Rathore (Feb 26)
- Re: PL/SQL web application Alex Russell (Feb 26)