You might think procedures that don't accept user input are immune from SQL injection attacks. But that's not always the case.
In a recently published whitepaper David Litchfield explains how using a little ingenuity can go a long way towards exploiting an Oracle RDMS.
Litchfield writes that, "even those functions and procedures that don't take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and don't let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are."
Litchfield proves his points step-by-step in the whitepaper "Lateral SQL Injection: A New Class of Vulnerability in Oracle." It's probably a good idea to read the 4-page document carefully and then reconsider your particular RDMS situation accordingly.
End of Article
Register
