6.5 Trap and Handle Exceptions
Normal SQL injection attacks depend to a great extent on an attacker reverse engineering portions of the original SQL query by using information gained from error messages. Therefore, keep application error messages succinct and do not divulge any metadata information (such as column names, table names, and so on).
 |
Design your code to trap and handle exceptions appropriately. Before you deploy your application, remove all code tracing and debug messages. From Oracle Database 10.2 on, you can use PL/SQL conditional compilation for managing self-tracing code, asserts, and so on. |