c# - Create command thowrs ORA-01036: illegal variable name/number exception -

-

i working on fixing sql injection flaw reported tool. our application reading oracle queries xml. query shown below...

<commandtext>create user &amp;username identified externally</commandtext>

in program, query was modified follows...

create user user_05 identified externally

i asked add parameter statements avoid sql injection. did similar thing shown below...

oraclecommand command = connection.createcommand(); command.commandtext = "create user :username identified externally"; string attrname = "username"; string valuetobeput = "user_05"; command.parameters.add(new oracleparameter(attrname, valuetobeput)); command.executenonquery();

and when tried execute query. failing following exception: 

{"ora-01036: illegal variable name/number"}

can me on this. might doing wrong here?

thanks.

to prevent exploiting code, should check if entered values save. oracle provides dbms_assert package you.

what create stored procedure accepts username argument. stored procedure create database user you. stored procedure verify argument if there no sql injection using 

dbms_assert.qualified_sql_name ();

your code bind input calling stored procedure.

check out dbms_assert package http://docs.oracle.com/database/121/arpls/d_assert.htm#arpls65375

what don't understand why want create users on fly...


Comments

Post a Comment

Popular posts from this blog

yii2 - Yii 2 Running a Cron in the basic template -

-
i have seen instructions on running cron in advanced template, cant figure out how on basic template. have following controller in basic controllers folder. <?php namespace app\controllers; use yii\console\controller; /** * cron controller */ class croncontroller extends controller { public function actionindex() { echo "cron service runnning"; } public function actionmail($to) { echo "sending mail " . $to; } } i have navigated root of application , tried these comands yii cron php yii cron im getting unknown comand "cron" i know old question failed find actual answer this. if @ code yii exec file you'll notice requires /common/config/aliases.php file console/config/main.php. can naturally change these or copy on these advanced template. hope solves problem wanting same thing.
Read more

asp.net - 'System.Web.HttpContext' does not contain a definition for 'GetOwinContext' Mystery -

-
i realize question might seem trivial some, it's these types of things find myself fighting quite bit , want make sense of despite seeming losing battle in .net (for me anyway). so, if following: using system.web; ... applicationuser user = system.web.httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); that produces error in title , red getowincontext() , error cannot resolve symbol 'getowincontext()' however, if following (remove system.web in front of httpcontext ), works expected (or @ least no errors): using system.web; ... applicationuser user = httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); however, if (same line that's working using system.web commented out): //using system.web; ... applicationuser user = httpcontext.getowincontext().getusermana...
Read more

mercurial graft feature, can it copy? -

-
there new feature in mercurial 3, called 'graft' (graft local). job of moving change-set different branch. is there way "copy" change-set branch? i interested in in moving stuff qa branch production branch, still need code reside in qa. want copy. found , have tried few things, maybe it'll become clear more tinkering , reading... does have better way of 'cherry picking' change-sets move cross branch (or trunk)??? graft copies changesets, doesn't move them. hg graft (emphasis mine): this command uses mercurial's merge logic copy individual changes other branches without merging branches in history graph. known 'backporting' or 'cherry-picking' . default, graft copy user, date, , description source changesets.
Read more