Hi All--
Has anyone dealt with a SQL injection vulnerability in an ALTER USER statement?
I've basically got a SQL statement being constructed like:
"ALTER USER" + userId + "IDENTIFIED BY \"" + password + "\" ACCOUNT UNLOCK";
Being built in a Java app, if it makes any difference. The userId and password values are coming straight out of an incoming HTTP request (and thusly are untrusted), and then being concatenated straight into the query. Usually the fix for SQL injection in web apps is just parameterizing the untrusted parameters-- but apparently:
You can't use bind variables in place of identifiers, such as the user name in this statement. The value of the identifier needs to be known when the statement is parsed, whereas a bind value is incorporated after parsing, before execution.
That's ^ from here.
So... is there a way to prevent SQL injection in an ALTER USER statement? Input validation is going to be super brittle here... we'll have to let all kinds of special characters through for any strong password value, and presently the only restriction on characters for that password value is the 12c reqs.
Anyone have any input to share here?