SQL & PL/SQL

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Authorization Bypass Through User Controlled SQL PrimaryKey in Oracle procedure

raghunadhanJun 2 2025 — edited Jun 2 2025

Hi Team,

We found one sql injection vulnerability in oracle package while scanning via chekmarx tool.We fixied it by using bind variable for dynamic update statement.We again scanned the package now it is showing “Authorization Bypass Through User Controlled SQL PrimaryKey” in Oracle procedure for the same update statement.can you help on this how to fix it.Our security tam is not allowing us to deploy the code although it is medium severity .Below is the update statement

IF l_col_exist =3 THEN
l_sql := 'UPDATE ' || l_tablename ||
' SET ' || l_set_column_list
|| 'cntl_process' || ' = :1 ,'
|| 'cntl_user_id' || ' = :2,'
|| 'cntl_timestamp' || ' = ''' ||l_sysdate ||'''
WHERE ' || l_condition|| ' AND ROWID BETWEEN :3 AND :4 '||'
AND '|| 'NVL(cntl_process,''A'') <> :5';
ELSE
l_sql := 'UPDATE ' || l_tablename ||
' SET ' || SUBSTR(l_set_column_list,1,LENGTH(l_set_column_list)-1) ||
' WHERE ' || l_condition|| ' AND ROWID BETWEEN :1 AND :2 ';
END IF;

IF l_col_exist =3 THEN
EXECUTE IMMEDIATE l_sql using l_source,l_userid,l_start_val,l_end_val,l_source ;
ELSE
EXECUTE IMMEDIATE l_sql using l_start_val,l_end_val ;
END IF;

Added on Jun 2 2025

14 comments

243 views

3 mentions