- Suppose you have a Web-based application which stores usernames alongside other session
information. Given a session identifier such as a cookie you want to retrieve the
current username and then use it in turn to retrieve some user information. You might
therefore have code for an "Update User Profile" screen somewhat similar to the following:
execute immediate 'SELECT username FROM sessiontable WHERE session
='''||sessionid||'''' into username;
execute immediate 'SELECT ssn FROM users WHERE
username='''||username||'''' into ssn;
This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as:
XXX' OR username='JANE
Which creates the query:
SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'
If the user XXX does not exist, the attacker has successfully retrieved Jane’s
social security number.
- The attacker can create malicious
database objects such as a function called as part of an API, or a maliciously
named table by using double quotation marks to introduce dangerous constructs.
For example, an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.