Re: Is sql-injection possible in following code

[sk <sk10_0 () yahoo com>]

Yes i am asking a user input in procedure demo it will be called
sql> exec demo('01');
it produce desire result.

But I wasn't able to change the condition by user supplied data to look for other column ( like first_name) instead of 
ID. 

is it necessary to be vulnerable for sqlinjection procedure must use some Dynamic SQL statements  using execute 
immediate ???

why i am not getting any result if i use some thing like this
  
sql> exec demo('03 or first_name=''Jason''');

here i am trying to keep true where condition for first_name='Jason'

--- On Sat, 15/8/09, Terra Frost <terrafrost () gmail com> wrote:

> From: Terra Frost <terrafrost () gmail com>
> Subject: Re: Is sql-injection possible in following code
> To: "sk" <sk10_0 () yahoo com>
> Cc: security-basics () securityfocus com
> Date: Saturday, 15 August, 2009, 3:28 AM
> The injectability of your SQL depends
> on how they're being generated.
> If the values are being generated from user input, SQL
> injection may
> be possible depending, again, on how they're being
> generated.
>
> Ultimately, to assess the SQL injectability, we'll need to
> see the
> generating code - not the SQL queries that have been
> generated after
> the fact.
>
> On Fri, Aug 14, 2009 at 1:46 PM, sk<sk10_0 () yahoo com>
> wrote:
> > Is sql-injection is possible in following procedure if
> yes then how .. I tried some sql injection techniques but
> nothing worked. it is for oracle database
> > CREATE OR REPLACE PROCEDURE demo( MyID IN VARCHAR2)
> AS
> >     Employee_rec Employee%ROWTYPE;
> > BEGIN
> > DBMS_OUTPUT.PUT_LINE(MyID);
> >     SELECT * INTO Employee_rec FROM Employee WHERE
> ID= MyID  ;
> >     DBMS_OUTPUT.PUT_LINE(Employee_rec.Salary);
> >
> >     Employee_rec.Salary := 900;
> >
> >     DBMS_OUTPUT.PUT_LINE(Employee_rec.Salary);
> >  END;
> >
> >
> >
> > table used
> > create table Employee(
> >     ID                 VARCHAR2(4 BYTE)  
>       NOT NULL,
> >     First_Name         VARCHAR2(10 BYTE),
> >     Last_Name          VARCHAR2(10 BYTE),
> >     Start_Date         DATE,
> >     End_Date           DATE,
> >     Salary             Number(8,2),
> >     City               VARCHAR2(10 BYTE),
> >     Description        VARCHAR2(15 BYTE)
> >   )
> >   /
> > insert into Employee(ID,  First_Name, Last_Name,
> Start_Date,                    End_Date,
> >                   Salary,  City,      
> Description)
> >  values ('01','Jason',    'Martin',
>  to_date('19960725','YYYYMMDD'),
> > to_date('20060725','YYYYMMDD'), 1234.56, 'Toronto',
>  'Programmer')
> >    /
> > insert into Employee(ID,  First_Name, Last_Name,
> Start_Date,                     End_Date,
> >                    Salary,  City,      
> Description)
> > values('02','Alison',   'Mathews',
> to_date('19760321','YYYYMMDD'),
> > to_date('19860221','YYYYMMDD'), 6661.78,
> 'Vancouver','Tester')
> > Regards
> > Sumit
> >
> > /
> >
> >
> >      Yahoo! recommends that you upgrade to the new
> and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/
> >
> ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital
> Certificate
> > In this guide we examine the importance of Apache-SSL
> and who needs an SSL certificate.  We look at how SSL
> works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on
> your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing
> management of your encryption keys and digital
> certificates.
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
> >


      Looking for local information? Find it on Yahoo! Local http://in.local.yahoo.com/


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------