SQL Injection in Oracle: An Exploration of Vulnerabilities

Authors

Sid Ansari, Sheridan CollegeFollow
Edward R. Sykes, Sheridan CollegeFollow

Document Type

Article

Publication Date

4-2012

Keywords

SQL injection, database vulnerabilities, stored procedure vulnerabilities, computer security

Abstract

Structured Query Language (SQL) injection is one of the most devastating vulnerabilities to impact a business, as it can lead to the exposure of sensitive information stored in an application’s database. SQL Injection can compromise usernames, passwords, addresses, phone numbers, and credit card details. It is the vulnerability that results when an attacker achieves the ability to influence SQL queries that an application passes to a back-end database. The attacker can often leverage the syntax and capabilities of SQL, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database to compromise the web application. In this article we demonstrate two non-web based SQL Injection attacks one of which can be carried out by executing a stored procedure with escalating privileges. We present the unique way in which Oracle handles single and double quotes in strings because, as shown in this paper, this is one of the features of the language that can be exploited in the construction of an injection attack. Recommendations on how to resolve these vulnerabilities are proposed.

Faculty

Faculty of Applied Science & Technology

School

School of Applied Computing

Journal

International Journal on Computer Science and Engineering (IJCSE)

Version

Publisher's version

Peer Reviewed/Refereed Publication

yes

Terms of Use

Terms of Use for Works posted in SOURCE.

Copyright

© 2012 The Authors. Published by International Journal on Computer Science and Engineering. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Original Publication Citation

Ansari, S., & Sykes, E. R. (2012). SQL Injection in ORACLE: An exploration of vulnerabilities. International Journal on Computer Science and Engineering, 4(4), 522-531. Retrieved from http://www.enggjournals.com/ijcse/doc/IJCSE12-04-04-077.pdf

SOURCE Citation

Ansari, Sid and Sykes, Edward R., "SQL Injection in Oracle: An Exploration of Vulnerabilities" (2012). Faculty Publications and Scholarship. 7.
https://source.sheridancollege.ca/fast_appl_publ/7