Native Dynamic SQL – Dodgy Code and DRS

Dynamic. That’s a positive word if ever there was one. Ascribing this adjective to anything would convey an image of energy and forward momentum.
On the question of Dynamic SQL, the images are rather more equivocal.
On the plus side, Native Dynamic SQL gives you the ability to :

  • execute DDL statements from within PL/SQL programs
  • code for instances where the required DML statement is not known ahead of time

On the flip side, it can also mean code that is:

  • difficult to read and maintain
  • prone to performance problems
  • insecure

To wander through this minefield, I have enlisted the support of a world where DRS does not stand for Dodgy Review System.
Yes, it’s the wacky and entertaining (not always intentionally so) world of Formula 1… Continue reading

Taking the bind out of mid-tier queries

At least it wasn’t penalties. Another straw to clutch at – to paraphrase George W Bush – the Germans have no word for schadenfreude.
On top of that, I was in Sainsburys the day after the game and picked up an England branded top for a mere £4. The good news just keeps on coming.
For anyone not sharing in the English mood of …not so much mourning as a sort of resigned cynicism… this is still a post about Oracle stuff…but with a football theme. Continue reading

Self-Inflicted SQL Injection – don’t quote me !

After my recent post about escaping quotes in SQL scripts, I was surprised and delighted to receive a mail from Alexander Kornbrust, CEO of Red Database Security.
In it, he said he’d read the post and pointed out that the code therin was vulnerable to SQL-Injection.
I was fortunate enough to work with Alex, before he went off to become famous, so I know that he’s a bona fide expert in all things Oracle, especially security. Even so, I was initially puzzled by his assertion.
After all, the code I’d posted was an example where the code is held in a script and NOT in the database so wouldn’t be vulnerable to being executed by someone who’d hacked into the database itself. After all, SQL Injection happens interactively doesn’t it ? The hacker needs to be probing for weaknesses via a web front-end or similar. Don’t they have to be physically typing stuff in somewhere for this to work ? Er….apparently not.
Having asked around a number of Oracle developers, this would seem to be a widely held misconception. In terms of SQL Injection attacks, we’re all familiar with the classic HTML login form which POSTS to some mid-tier script or program which in turn, simply concatenates the username and password strings supplied by the user into a query then fires it off unthinkingly at the database. But how can you be attacked when the attacker isn’t even around at the time ? Continue reading