Scribd Logo
Upload

Welcome to Scribd!

  • SQLi Prevent Queries

    Uploaded by

    MOHAMMAD ASHRAF
    10 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views4 pages

    SQLi Prevent Queries

    Uploaded by

    MOHAMMAD ASHRAF

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Prevention of SQL Injection

    Wrong Query:
    l_sql := 'select * from emp where empno =' || :P1_EMPNO ;
    RETURN l_sql;

    Correct Query :
    l_sql := 'select * from emp where empno = :P1_EMPNO' ;
    RETURN l_sql;

    Wrong Query:
    create or replace FUNCTION myfn
    return VARCHAR2 is
    v_dname VARCHAR2(20);
    begin
    select dname into v_dname
    from dept
    where deptno = &p_deptno;
    return v_dname;
    end;
    Correct Query :
    create or replace FUNCTION myfn(p_deptno in NUMBER)
    return VARCHAR2 is
    v_dname VARCHAR2(20);
    v_sql VARCHAR2(32767);
    begin
    v_sql := 'select dname from dept where deptno = :1' ;
    execute immediately v_sql into v_dname using p_deptno;
    return v_dname;
    end;
    Wrong Query:
    declare
    1_query varchar2(2000);
    begin
    if APEX_COLLECTION.COLLECTION_EXISTS( p_collection_name => 'TEMPEMP')
    then
    APEX_COLLECTION.DELETE_COLLECTION(p_collection_name => 'TEMPEMP');
    end if;
    1_query := 'SELECT empno, ename, sal FROM emp WHERE job = ' ' ' || :P4_JOB || ' ' ' ' ;
    APEX_COLLECTION.CREATECOLLECTION_FROM_QUERY(
    p_collection_name => 'TEMPEMP',
    p_query => 1_query);
    end ;

    Correct Query :
    declare
    1_query varchar2(2000);
    begin
    if APEX_COLLECTION.COLLECTION_EXISTS( p_collection_name => 'TEMPEMP')
    then
    APEX_COLLECTION.DELETE_COLLECTION(p_collection_name => 'TEMPEMP');
    end if;
    1_query := 'SELECT empno, ename, sal FROM emp WHERE job = v ( ' ' P4_JOB ' ' ) ' ;
    APEX_COLLECTION.CREATECOLLECTION_FROM_QUERY(
    p_collection_name => 'TEMPEMP',
    p_query => 1_query);
    end ;
    Wrong Query:
    declare
    TYPE cur_typ IS REF CURSOR;
    l_cur cur_typ;
    1_sql VARCHAR2(256);
    l_data VARCHAR2(256);
    begin
    htp.p('<table>');
    l_sql := 'select dname from dept where deptno = ' || nv1(:P3_DEPTNO,0);
    open 1_cur for 1_sql;
    loop
    fetch 1_cur into 1_data;
    exit when 1_cur%NOTFOUND;
    htp.p('<tr><td>' || 1_data || '</td></tr>');
    end loop;
    close 1_cur;
    htp.p('</table>');
    end;
    Correct Query :
    declare
    TYPE cur_typ IS REF CURSOR;
    l_cur cur_typ;
    1_sql VARCHAR2(256);
    l_data VARCHAR2(256);
    begin
    htp.p('<table>');
    l_sql := 'select dname from dept where deptno = nv1(:deptno,0)';
    open 1_cur for 1_sql using :P3_DEPTNO;
    loop
    fetch 1_cur into 1_data;
    exit when 1_cur%NOTFOUND;
    htp.p('<tr><td>' || 1_data || '</td></tr>');
    end loop;
    close 1_cur;
    htp.p('</table>');
    end;
    Wrong Query:
    declare
    l_query VARCHAR2(1024);
    l_where VARCHAR2(1024);
    begin
    l_query := 'select dname, deptno from dept';
    if :P5_MATCH is not null then
    l_where := 'where dname like ' ' %' || :P5_MATCH || ' % ' ' ' ;
    l_query := l_query || ' ' || l_where;
    end if;
    return l_query;
    end;

    Correct Query :
    declare
    l_query VARCHAR2(1024);
    l_where VARCHAR2(1024);
    begin
    l_query := 'select dname, deptno from dept';
    if :P5_MATCH is not null then
    l_where := 'where dname like ' ' % ' ' || :P5_MATCH || ' ' % ' ' ' ;
    l_query := l_query || ' ' || l_where;
    end if;
    return l_query;
    end;

    Wrong Query:
    apex_util.prepare_url('f?p=&APP_ID.:6:&APP_SESSION.::::P6_MSG:&P6_MSG.')
    Correct Query :
    apex_util.prepare_url('f?p=&APP_ID.:6:&APP_SESSION.::::P6_MSG:'||:P6_MSG)

    You might also like