SQL Injection Attacks Up 69%, Here is How to Protect Yourself
SQL injection attacks are becoming significantly more popular amongst hackers, according to recent data. Between Q1 2012 and Q2 2012, there has been an estimated 69 percent increase of this attack type.
SQL injection can be easily avoided. How? Just use bind variables. Here is a quote from Tom Kyte:
If you use bind variables, you cannot be SQL Injected – this is true for PL/SQL, for Java, for any and all languages. If you use bind variables you cannot be SQL Injected – period. It is that simple, really and truly.
Tom also links to an excellent paper on this subject written by Bryn Llewellyn: How to write SQL injection proof PL/SQL [PDF].
It baffles me how such a simple and easy solution to such a big security problem is not implemented in the code base of all of these big companies that have recently been hacked.
Related articles:
- SQL Injection Prevention Cheat Sheet
- Bind, don’t concatenate, to optimize performance and simplify dynamic string construction
- When Your Bind Variable is Invalid and Your Column is Weird
Filed in Oracle, Security on 30 Jul 12 | Tags: sql
About This Blog
- Subscribe by Email
-
-
-
- The views expressed on this blog are mine alone and do not necessarily reflect the views of my employer.
