Tell Me Glossary
 

1.4 Avoidance Strategies Against SQL Injection Attacks

Previous previous|next Next Page

Several avoidance strategies can be employed to safeguard against, or mitigate the impact of, SQL injection attacks. Here are high-level descriptions of each of the strategies we will examine in more detail in the subsequent lessons:

Reduce the attack surface. Ensure that all excess database privileges are revoked and that only those routines that are intended for end-user access are exposed. Though this does not entirely eliminate SQL injection vulnerabilities, it mitigates the impact of the attacks.
Avoid dynamic SQL with concatenated input. Dynamic SQL built with concatenated input values presents the easiest entry point for SQL injections. Avoid constructing dynamic SQL this way.
Use bind arguments. Parameterize queries by using bind arguments. Bind arguments eliminate the possibility of SQL injections and enhance performance.
Filter and sanitize input.

The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input and help in guarding against SQL injection in applications that use dynamic SQL built with concatenated input values.

In case your filtering requirements cannot be satisfied by the DBMS_ASSERT package, you may need to create your own filter.


The available and best method(s) for eliminating a SQL injection vulnerability may depend on the vulnerability itself. Not all of these methods are available for addressing every SQL injection vulnerability.