Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question.

Asked: February 12, 2019 - 4:39 pm UTC

Last updated: February 19, 2019 - 7:55 am UTC

Version: oracle

Viewed 1000+ times

You Asked

I would like to know more about sql injection. Why is it so hard to tell to the Oracle that a certain string is a parameter and not a part of a Sql command? For example, can a person call himself Delete and his name can not be used in a search? And if you need to use the characters '--' in a text, that will be a problem to a sql command?

Thanks

and Connor said...

Why is it so hard to tell to the Oracle that a certain string is a parameter and not a part of a Sql command?


Not sure what you mean by "hard" ? You bind a variable and you're done!

This isn't an Oracle issue at all - it is a *coding* issue, ie, if you let people build their own SQL's (or you as a developer let people do it via your application) then you're going to get hacked.

Have a watch of this...it's fun, entertaing and great outline of the risks of SQL injection





Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library