Link Search Menu Expand Document

SQL Injection in SQL

Play SecureFlag Play SQL Labs on this vulnerability with SecureFlag!

Vulnerable Examples

PL/SQL

Oracle offers more than one way to concatenate potentially dangerous strings to execute SQL queries.

EXECUTE IMMEDIATE 'SELECT id FROM db.Table WHERE phone = ''' || p_phone || '''';
OPEN selection_table FOR 'SELECT id FROM db.Table WHERE phone = ''' || p_phone || '''';
FETCH selection_table INTO v_selected_id;

T-SQL

The T-SQL command sp_executesql executes a Transact-SQL statement from a Unicode string.

SET @SQLString =  N'SELECT id FROM db.Table WHERE phone = '''+ @P_PHONE+'''';
EXECUTE sp_executesql @SQLString; 

References

CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command

OWASP - SQL Injection

OWASP - SQL Injection Prevention Cheat Sheet

BlackHat - Oracle PL/SQL Injections

Microsoft - SQL Injection