Skip to Main Content
  • Questions

  • Plain SQL text on cloud platform - SQL Injection and Data security standards

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Rajneesh.

Asked: April 01, 2020 - 2:17 am UTC

Last updated: April 01, 2020 - 9:46 am UTC

Version: 19 c

Viewed 1000+ times

You Asked

Hello TOM,

I need to know if query through plain SQL text is accepted on cloud platform from data security standards perspective.
How about SQL injection bugs/security risk for on cloud platform?
Plain sql (like exec reporting_view_generato or select * from table etc) will be allowed as per on cloud security guidelines/standards?

Any further guidelines from on cloud oracle data base data security perspective?

Thanks,
Rajneesh

and Chris said...

SQL injection is a coding problem. Any time you use string concatenation to construct a SQL statement using user supplied values, e.g.:

'select * from ... where c1 = ' || user_supplied_value


You're at risk.

Static ("plain") SQL which is a fixed (never changing) statement is safe.

For queries which take user input (show all orders for customer X, find all the products costing less than Y, etc.) you need to use bind variables. Depending on your programming language, the query above becomes something like:

'select * from ... where c1 = :user_supplied_value'


or 

'select * from ... where c1 = ?'


or in PL/SQL you can use variables in static SQL and the database will bind them for you:

create or replace procedure p ( user_val int ) as
begin

  select ...
  where  c1 = user_val;
  
end p;


Using a cloud platform won't make SQL injection "go away". You need to write safe code!

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thanks for your help

A reader, April 01, 2020 - 9:54 am UTC

Thank you, it helps !!!
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library