The DBMS_ASSERT package was introduced in Oracle 10g Release 2 and backported to Release 1 in the Oracle October 2005 Critical Patch Update. There are currently no references to this package in the 10g Release 2 documentation or on Metalink. The package contains a number of functions that can be used to sanitize user input and help to guard against SQL injection in applications that don't use bind variables.
ENQUOTE_LITERAL Function
Enquotes a string literal
ENQUOTE_NAME Function
Encloses a name in double quotes
NOOP Functions
Returns the value without any checking
QUALIFIED_SQL_NAME Function
Verifies that the input string is a qualified SQL name
SCHEMA_NAME Function
Verifies that the input string is an existing schema name
SIMPLE_SQL_NAME Function
Verifies that the input string is a simple SQL name
SQL_OBJECT_NAME Function
Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object
It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.
No comments:
Post a Comment