Comments on: Self-Inflicted SQL Injection – don’t quote me !

By: ali

ali — Tue, 06 Jul 2010 20:45:28 +0000

Sql injection tools pangolin liqidis havij jsky safe3 m4x Sqlihelper

By: Martine

Martine — Thu, 18 Mar 2010 22:56:57 +0000

Database links are object types that can have dots in the names; might want to exclude them from the allowable characters script:

AND REGEXP_INSTR(REGEXP_REPLACE(object_name, ‘\$|_|\#’,”), ‘[[:punct:]]|[[:space:]]’) >0
and object_type ‘DATABASE LINK’;

Also exclude legitimately-owned objects in the wrapper find:

WHERE UPPER(text) LIKE (‘%WRAPPED%’)
and owner not in (‘SYS’, ‘SYSTEM’,'DBSNMP’)

Enjoying your blog, and this post was especially delightful.

By: Alam

Alam — Mon, 08 Mar 2010 11:44:06 +0000

Great post! I’ve bookmarked your blog.

By: Week 7 in Review | Infosec Events

Week 7 in Review | Infosec Events — Mon, 22 Feb 2010 03:49:44 +0000

[...] Self-Inflicted SQL Injection – don’t quote me ! – mikesmithers.wordpress.com But how can you be attacked when the attacker isn’t even around at the time ? [...]

By: A nice blog post about SQL Injection » Musings on Database Security

A nice blog post about SQL Injection » Musings on Database Security — Mon, 15 Feb 2010 21:31:00 +0000

[...] really well written blog post from Mike Smithers about the need to validate data from all sources – also coming from the [...]