Skip to Main Content
Forums

Oracle Database Discussions

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

full text search - prevent sql injection?

923910Mar 14 2012 — edited Mar 15 2012
I have the following query:
CREATE PROCEDURE search (results OUT SYS_REFCURSOR, filter INT VARCHAR2)
IS
BEGIN
SELECT * FROM table WHERE CONTAINS(column, filter, 1) > 0
END

I call the above stored procedure using ODP.NET and pass the filter parameter:
parameter.Name = "filter";
parameter.Value = "'FUZZY({" + userInput + "}, 65, 6, weight)*1'";

Note that the it passes anything the user enters. Is it possible for the user to sql inject in this case?

My guess is that the filter is evaluated inside the CONTAINS operator as a search keyword regardless if the filter itself contained malicious sql.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Apr 12 2012
Added on Mar 14 2012
#11g, #general-database-discussions, #sql
2 comments
369 views