Search This Blog

Monday, January 06, 2014

Strategies against SQL injection.

  1. In PL/SQL API, expose only those routines that are intended for customer use.
  2. Do not use APIs that allow arbitrary query parameters to be exposed.
  3. Restrict users accessing specified web page.
  4. Use static SQL as a technique when all Oracle identifiers are known at the time of code compilation
  5. Using parameterized queries with bind arguments.
  6. Validate user inputs to functions that use dynamic SQLs built with concatenated values.
  7. Validate all input concatenated to dynamic SQL.

No comments: