http://hoopercharles.wordpress.com/2010/08/02/sql-injection-getting-a-date-with-bobby-tables/ Miscellaneous Random Oracle Topics: Stop, Think, ... Understand Mon, 13 May 2013 14:10:06 +0000 hourly 1 http://wordpress.com/ http://hoopercharles.wordpress.com/2010/08/02/sql-injection-getting-a-date-with-bobby-tables/#comment-1597 Thu, 05 Aug 2010 07:31:41 +0000 http://hoopercharles.wordpress.com/?p=2909#comment-1597 @Fahd:
Nope. It boils down to using bind variables. Only if you cannot use bind variables should you worry about sanitizing that small amount of input data.
@Charles:
Well, until you stop doing implicit date-to-string conversion, you’ll be vulnerable to this attack… How about a to_char(dteSalesDate,’DD-MON-YYYY’) in the last version?

]]> http://hoopercharles.wordpress.com/2010/08/02/sql-injection-getting-a-date-with-bobby-tables/#comment-1589 Tue, 03 Aug 2010 11:41:54 +0000 http://hoopercharles.wordpress.com/?p=2909#comment-1589 At the end, it all boils down to sanitzing the input into the database. Every attack to the database comes through the input data, and as there are many variations of the input data, databases need the help of developer to make sure that only “nice” data is being pumped into the database.

]]>