Which three statements are appropriate for protecting the code in the procedure from SQL injection?

View the Exhibit and examine the procedure to create a trigger name based on the table name
supplied to the procedure.

Which three statements are appropriate for protecting the code in the procedure from SQL
injection? (Choose three.)

View the Exhibit and examine the procedure to create a trigger name based on the table name
supplied to the procedure.

Which three statements are appropriate for protecting the code in the procedure from SQL
injection? (Choose three.)

A.
Explicitly validate the identifier length limit.

B.
Add AUTHID DEFINER to the definition of the procedure.

C.
Use PRAGMA RESTRICT_REFERENCES in the procedure.

D.
Filter out control characters in user-supplied identifier names.

E.
Use the object ID of the table from the data dictionary to build the trigger name.

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

morriarti

morriarti

A,D,E

B is wrong answer because an intruder would get privileges that they would not get if they used authid current_user.
C is wrong too:
https://docs.oracle.com/cd/A97630_01/appdev.920/a96624/11_dynam.htm
Look for Using Pragma RESTRICT_REFERENCES.
In this particular case using RESTRICT_REFENCES will not protect us from injecting sql command into trigger’s body.

Reply

gelete

gelete

A, D, E

6.2 Handle Oracle Identifiers Carefully

In addition to following the guidelines for filtering input with DBMS_ASSERT routines,
here are a few other issues to pay particular attention:

– Explicitly validate and enforce identifier length limits. Where length limits are being enforced,
these should be clearly marked so that they can be changed easily if the length limit does
change in future database releases.

– Take care to filter out control characters in user-supplied identifier names.
Control characters such as chr(10) (linefeed character) can generate spurious audit records, and so on.

– If an Oracle identifier needs to be generated based on a user-supplied identifier, avoid concatenating
the supplied identifier or using sequences to construct the generated Oracle identifier name. Instead,
consider looking up the object ID for the user-supplied identifier in the data dictionary and using the
object ID in the generated Oracle identifier name.

http://download.oracle.com/oll/tutorials/SQLInjection/html/lesson6/les06_tm_identifier.htm

Tutorial on Defending Against SQL Injection Attacks!
download.oracle.com/oll/tutorials/SQLInjection/index.htm

Reply