Hello all,
I have a client that is using a penetration testing tool to test SQL-injection on an apex application. The problem however is that this tool (and probably many others) assumes that the front end of a web application (for example in the case of PHP or JSF) would strip out any odd characters and fail at that point without ever passing anything malformed to the database, and if a database error is ever returned, this means the attempt at SQL injection was successful and is marked as a fail.
Of course apex resides IN the database, and apex calls are all routed through the "f" function in the database. When an attempt at SQL injection is made through this function, it of course traps the attempt and returns a standard 6502- Numeric or Value Error message. But the penetration tool sees this as a successful attempt to reach the database, and marks this as a fail.
Is their any way of masking this SPECIFIC behaviour from the "f" function? as against masking all PL/SQL 6502 errors in apex, because in most instances one would actually want the message (or some form of it) to be returned. In fact, attempting to mask this specific instance of the error might possibly not be possible because it's being returned from the "f" function itself.
Look forward to suggestions.
Regards
Femi