View the Exhibit.
How do you reduce the chances of SQL injection for the procedure?
A.
Execute the SQL statement in V_STMT as dynamic SQL.
B.
Remove the default value for the arguments in the procedure.
C.
Convert the condition in the WHERE clause to be accepted from the user and concatenated.
D.
Convert the SELECT statement to static SQL, placing the value of P_EMAIL into a local variable.
D
http://docs.oracle.com/cd/B19306_01/appdev.102/b14251/adfns_dynamic_sql.htm#BJECFHAB
1) portion of D) is incorrect, because you can directly assign p_emal value to the column cust_email without through local variable,
Another fix to prevent the sql injection is DBMS_ASSERT.SIMPLE_SQL_TYPE(p_email) to avoid malicious string concatination input like ‘XXXX UNION select income from customers”
D
D