Skip to Main Content
Forums

SQL & PL/SQL

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Sql injection while scanning using checkmarx tool

raghunadhanJul 11 2025 — edited Jul 11 2025

Hi we had an procedure where are passing table with alias as input there is it showing sql injection .i have shown below.I have bolded text.Can you check the issue which is in bold and help on this ?.here P_TABLE HAS THE table name with alias like emp EM, and p_condition has only where condition staring “where ” like: where eemp.name=d.emp_name" for except p_opeation typpe='SELECT ‘.For p_operation-type =’select ' we will execute direclty as shown bolded.

Can you help me on tis ?.

PROCEDURE INSERT_TEMP_TABLE(p_table VARCHAR2,p_condition VARCHAR2,p_operation_type VARCHAR2,p_id NUMBER,p_condition2 VARCHAR2) IS
PRAGMA AUTONOMOUS_TRANSACTION;

l_sql2 VARCHAR2(4000);
l_sql_del VARCHAR2(4000);

l_table_exists NUMBER;
l_condition VARCHAR2(4000);
l_temp_table VARCHAR2(500);
l_table VARCHAR2(500);
l_select_var VARCHAR2(4000);
l_alias VARCHAR2(500);
l_indx_tblspace VARCHAR2(500);
l_tbl VARCHAR2(500);
v_tbl VARCHAR2(500);
l_test VARCHAR2(4000);
BEGIN
l_indx_tblspace:='SWN_INDEX1';
v_tbl:=p_table; -Here it is paramter tampering
l_table:=SUBSTR(v_tbl,1,INSTR(v_tbl,' ')-1);-Here it isSql injection
l_temp_table:='TEMP_'||l_table;
l_condition:=p_condition2;
l_alias:= trim(SUBSTR(v_tbl,INSTR(v_tbl,' ')));
DBMS_OUTPUT.PUT_LINE('test0 ') ;

IF p_operation_type='SELECT '

EXECUTE IMMEDIATE P_CONDTIITON INTO L_vAR --hERE SHOWING SECOND ORDER SQL INJECITON

--l_select_var:=' SELECT '||l_alias||'.*,SYSDATE AS Archive_datetime ,'||dbms_assert.enquote_literal(p_operation_type)||' AS OPERATION_TYPE,'||p_id ||' AS ILM_ID FROM ';

l_sql2 := 'SELECT COUNT(*) INTO :result from USER_TABLES WHERE UPPER(TABLE_NAME)= ' || dbms_assert.enquote_literal(l_temp_table
);
---checking whether the temp table already exists or not
EXECUTE IMMEDIATE l_sql2
INTO l_table_exists;
IF l_table_exists = 0 THEN
---create temp table

       `EXECUTE IMMEDIATE 'CREATE TABLE '`  
                         `|| l_temp_schema`  
                         `|| '.'`  
                         `|| l_temp_table`  
                         `|| ' AS '||' SELECT  '||trim(SUBSTR(v_tbl,INSTR(v_tbl,' ')))||'.*,SYSDATE AS Archive_datetime ,'||dbms_assert.enquote_literal(p_operation_type)||' AS OPERATION_TYPE,'||p_id ||' AS ILM_ID FROM '`  
                         `||  dbms_assert.sql_object_name(l_table)`  
                         `||' '|| trim(SUBSTR(v_tbl,INSTR(v_tbl,' ')))`  
                         `|| ' WHERE '`  
                         `|| DBMS_ASSERT.simple_sql_name(l_condition);`
Comments
Post Details
Added on Jul 11 2025
9 comments
271 views