Oracle Database 26ai will be available on generic Linux platforms in January and soon on AIX and Windows
Purpose
Tools to prevent SQL Injection attacks
AUTHID
CURRENT_USER
Dependencies
SELECT name FROM dba_dependencies WHERE referenced_name = 'DBMS_ASSERT' UNION
SELECT referenced_name FROM dba_dependencies WHERE name = 'DBMS_ASSERT' ORDER BY 1;
Returns the value without any checking. This should be used only for proof-of-concept where the use of other DBMS_ASSERT functionality is being considered.
Overload 1
dbms_assert.noop(str IN VARCHAR2 CHARACTER SET ANY_CS)
RETURN VARCHAR2 CHARACTER SET str%CHARSET;
INSERT INTO user_pwd VALUES ('UWCLASS', 'UWCLASS');
INSERT INTO user_pwd VALUES ('MORGAN', 'AceDir');
COMMIT;
CREATE OR REPLACE PROCEDURE ckpwd (usr IN VARCHAR2, pwd IN VARCHAR2) IS
v_query VARCHAR2(100);
v_output PLS_INTEGER;
BEGIN
v_query := q'{SELECT COUNT(*) FROM user_pwd}' || ' ' ||
q'{WHERE username = '}' || dbms_assert.schema_name(usr) ||
q'{' AND password = '}' || pwd || q'{'}';
dbms_output.put_line(CHR(10)||'Built the following statement: ' ||CHR(10)|| v_query);
EXECUTE IMMEDIATE v_query INTO v_output;
dbms_output.put_line(CHR(10) || usr || ' is authenticated');
dbms_output.put_line(TO_CHAR(v_output));
EXCEPTION
WHEN dbms_assert.invalid_schema_name THEN
dbms_output.put_line(CHR(10) || ' access denied');
END ckpwd;
/
Procedure created.
set serveroutput on
exec ckpwd('UWCLASS', 'UWCLASS');
Built the following statement:
SELECT COUNT(*) FROM user_pwd WHERE username = 'UWCLASS' AND password = 'UWCLASS'