SQL Injection Tutorial Now Available!
By Eric P. Maurice on Feb 17, 2008
Hello, this is Shirley Ann Stern! Recent security research indicates that SQL injection attacks constitute one of the most prevalent types of threats to IT environments. For example, in its �Top 20�, SANS identifies SQL Injection as a major threat to Web applications.
SQL injection is one of the most common forms of attacks carried out at the application layer. In layman�s terms, SQL Injection attacks are designed to leverage improper coding of web applications that, in the absence of proper input validation, allow a malicious attacker insert string input to an application, and as a result, send potentially harmful SQL commands to the application�s back-end database. Although any program or application (that is powered by a database) may be vulnerable to SQL injections, web applications are at a higher risk because they often allow an attacker to perpetrate SQL injection attacks without being authenticated to the targeted database or application. The potential consequences of these attacks are serious. A successful SQL Injection attack can allow the attacker to gather sensitive data, manipulate database information, and in some instances, to change the structure of the database, deny legitimate access to it, or grant unauthorized privileges to himself or others.
An important objective of Oracle Software Security Assurance is that we provide information to customers that helps enable them to use our products securely. To this end, we have developed training materials titled �Defending Against SQL Injection Attacks.� Available now, this training content is available online and can also be downloaded so that offline studying (while in the train for your morning commute) is possible. �Defending Against SQL Injection Attacks� highlights some of the coding practices required to eliminate SQL injection vulnerabilities when developing in an Oracle environment. Oracle recommends that anyone who develops Internet applications that access an Oracle database review these materials. Note that this tutorial will also be available through Oracle University as a lesson in the instructor-led course �Oracle Database 11g: Advanced PL/SQL�, which is scheduled to be available in April 2008.
More information on Oracle Software Security Assurance is available on Oracle.com. Various trainings, including �Defending Against SQL Injection Attacks� are available on the Server Technologies Curriculum Web Site. The Security Technology Center and Oracle Software Security Assurance Resource Library also include a number of useful links to security trainings and white papers.