January 11, 2010
In the course of the last penetration testing, I had an occasion to work with the following web application architecture:
I guess you will ask me, what’s wrong here?
The problem is that Oracle is not MySQL, and it simply doesn’t "know" about any shielding in the form of backlashes :) Oracle doesn’t consider the concept of shielding at all, because it’s a serious DBMS:
It should be mentioned that we have met a lot of Oracle DBMSs during the last penetration testing, and most of them contained the described vulnerability, i.e. they had a universal login "'or(1)=(1)--" (aka SQL Injection).
A similar feature of interpretation of a backslash ("\") as an independent symbol is characteristic for Microsoft SQL Server, too:
For the Sybase database, we have:
Thus, it is necessary to take such features of DBMSs into account in the course of programming and porting your applications to various databases to avoid problems relating to SQL Injection.
Comment: this topic was described by Bernardo Damele [1,2] in his blog one year ago, but the practice shows that the problem is still urgent.