Skip to Main Content
Forums

SQL & PL/SQL

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Oracle Text Contains Strings and SQL Injection

89521Aug 4 2010 — edited Aug 4 2010
The following is a query that is contained in a stored procedure. The value p_last_name is passed to the stored procedure. It is a VARCHAR2(40) value that may be input by a user via a web interface. To what extent is this query vulnerable to SQL injection? Is there a preferred way to code a query like this to minimize SQL injection -- for example, making the 'FUZZY({' || p_last_name || '},,, WEIGHT)' string a bind value?

Thanks

SELECT first_name,
last_name,
SCORE(1) AS score
FROM student
WHERE CONTAINS(last_name, 'FUZZY({' || p_last_name || '},,, WEIGHT)', 1) > 0
ORDER BY
SCORE(1) DESC,
last_name;
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 1 2010
Added on Aug 4 2010
2 comments
1,108 views