Examine the following line of code that is part of a PL/SQL application:
stmt:=’SELECT session_id FROM sessions WHERE ‘ || p_where_stmt;
Identify a solution for preventing SQL injection in the above code.
A.
Replace P_WHERE_STMT with a bind variable.
B.
Do not use APIs that allow arbitrary query parameters to be exposed.
C.
Use the RESTRICT_REFERENCES clause in the PL/SQL subprogram that contains the code.
D.
Use DBMS_SQL to detect that the expression provided for P_WHERE_STMT is free from
SQL injection.
A , D
OK, variable pl/sql aare already bind variables….not A
and C is a wrong typed error,,,,,
B
B.
2.3 Reduce Arbitrary Inputs
Careful selection of parameter types to an API can considerably reduce
the scope of the attack, and make it a lot easier for customers to use.
http://download.oracle.com/oll/tutorials/SQLInjection/html/lesson2/les02_tm_inputs.htm