2.3 Reduce Arbitrary Inputs
Because a SQL injection attack is really possible only if user input is allowed, you can prevent the attack by limiting user input.
First, you must reduce the end-user interfaces to only those actually needed. For example:
- In a Web application, restrict the users access to specified Web pages.
- In a PL/SQL API, expose only the routines intended for customer use.
 |
Remove any debug, test, deprecated, and other unnecessary interfaces. They add nothing to product functionality, but provide an attacker with more ways to target your application. From Oracle Database 10.2 on, you can use PL/SQL conditional compilation for managing self-tracing code, asserts, and so on. |
Second, where user input is required, make use of language features to ensure that only data of the intended type is specified. For example:
- Do not specify a VARCHAR2 parameter when the parameter will be used as a number.
- Do not use number if you need only positive integers, use natural instead.
|
Careful selection of parameter types to an API can considerably reduce the scope of the attack, and make it a lot easier for customers to use. |