Best Practices for Dynamic SQL



Similar documents
6b Continuing Past Exceptions

Best Practices For PL/SQL Development in Oracle Application Express

Oracle Database: Program with PL/SQL

Oracle Database: Program with PL/SQL

Oracle Database: SQL and PL/SQL Fundamentals

Duration Vendor Audience 5 Days Oracle Developers, Technical Consultants, Database Administrators and System Analysts

Oracle Database: Program with PL/SQL

Oracle PL/SQL Programming

Oracle Database: Program with PL/SQL

Oracle Database 11g: Program with PL/SQL

Oracle Database: SQL and PL/SQL Fundamentals NEW

Oracle Database: Program with PL/SQL

Database Programming with PL/SQL: Learning Objectives

Oracle Database: SQL and PL/SQL Fundamentals

Course -Oracle 10g SQL (Exam Code IZ0-047) Session number Module Topics 1 Retrieving Data Using the SQL SELECT Statement

Oracle(PL/SQL) Training

Oracle PL/SQL Injection

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

Oracle Database: Develop PL/SQL Program Units

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

Oracle Database 10g: Program with PL/SQL

Oracle For Beginners Page : 1

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

PL/SQL Programming Workbook

Oracle PL/SQL Best Practices

Oracle Database: SQL and PL/SQL Fundamentals NEW

Using SQL Developer. Copyright 2008, Oracle. All rights reserved.

Database security tutorial. Part I

When an exception occur a message which explains its cause is received. PL/SQL Exception message consists of three parts.

Making the Most of Oracle PL/SQL Error Management Features

Oracle Database 10g: Introduction to SQL

Overhauling PL/SQL Applications for Optimized Performance

When and How to Write SQL in Oracle PL/SQL

Oracle Database 12c: Introduction to SQL Ed 1.1

Oracle Database: Introduction to SQL

Oracle Database: Introduction to SQL

OPP ODTUG Kaleidoscope. An ODTUG SP* Oracle PL/SQL Programming Conference. WOW-Wide Open World, Wide Open Web!

Maintaining Stored Procedures in Database Application

Oracle SQL. Course Summary. Duration. Objectives

The first time through running an Ad Hoc query or Stored Procedure, SQL Server will go through each of the following steps.

Topics Advanced PL/SQL, Integration with PROIV SuperLayer and use within Glovia

Triggers & Packages. {INSERT [OR] UPDATE [OR] DELETE}: This specifies the DML operation.

Secure Coding (PL/SQL)

An Oracle White Paper May Guide for Developing High-Performance Database Applications

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Oracle Database: Introduction to SQL

Virtual Private Database Features in Oracle 10g.

Creating PL/SQL Blocks. Copyright 2007, Oracle. All rights reserved.

PL / SQL Basics. Chapter 3


Oracle 11g PL/SQL training

Developing SQL and PL/SQL with JDeveloper

Migrating Non-Oracle Databases and their Applications to Oracle Database 12c O R A C L E W H I T E P A P E R D E C E M B E R

SQL/PSM. Outline. Database Application Development Oracle PL/SQL. Why Stored Procedures? Stored Procedures PL/SQL. Embedded SQL Dynamic SQL

An Oracle White Paper June Migrating Applications and Databases with Oracle Database 12c

ORACLE 9I / 10G / 11G / PL/SQL COURSE CONTENT

HOW TO MAKE YOUR ORACLE APEX APPLICATION SECURE Peter Lorenzen, WM-data a LogicaCMG company

PL/SQL (Cont d) Let s start with the mail_order database, shown here:

MOC 20461C: Querying Microsoft SQL Server. Course Overview

Oracle 10g PL/SQL Training

Oracle8/ SQLJ Programming

Oracle Database 11g Express Edition PL/SQL and Database Administration Concepts -II

Training Guide. PL/SQL for Beginners. Workbook

PL/SQL Programming. Oracle Database 12c. Oracle Press ORACLG. Michael McLaughlin. Mc Graw Hill Education

Oracle Database 11g SQL

AV-004: Administering and Programming with ORACLE

Introduction to Oracle PL/SQL Programming V2.1 - Lessons 11-End

Oracle Database 11g: Advanced PL/SQL

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Before you may use any database in Limnor, you need to create a database connection for it. Select Project menu, select Databases:

ODTUG - SQL Injection Crash Course for Oracle Developers

PL/SQL Overview. Basic Structure and Syntax of PL/SQL

An Introduction to SQL Injection Attacks for Oracle Developers. January 2004 INTEGRIGY. Mission Critical Applications Mission Critical Security

CSC 443 Database Management Systems. The SQL Programming Language

PROCEDURES, FUNCTIONS AND PACKAGES

APEX 4.2 Application Deployment and Application Management. Denes Kubicek

Oracle Database 11g: SQL Tuning Workshop Release 2

Programa de Actualización Profesional ACTI Oracle Database 11g: SQL Tuning Workshop

Oracle Database Security and Audit

SQL Databases Course. by Applied Technology Research Center. This course provides training for MySQL, Oracle, SQL Server and PostgreSQL databases.

How to Make Your Oracle APEX Application Secure

SQL Injection in web applications

news from Tom Bacon about Monday's lecture

Instant SQL Programming

Bullet Proof Your PL/SQL

Oracle Database 11g: SQL Tuning Workshop

Programming in Python V: Accessing a Database

O Reilly Ebooks Your bookshelf on your devices!

Database programming made easier Master thesis of Roland Balk

PL/SQL. Database Procedural Programming PL/SQL and Embedded SQL. Procedures and Functions

Introduction to PL/SQL Programming

Coding Therapy for Software Developers

MySQL for Beginners Ed 3

Fine Grained Auditing In Oracle 10G

Oracle Database Security

Transcription:

The PL/SQL Channel Writing Dynamic SQL in Oracle PL/SQL Best Practices for Dynamic SQL Steven Feuerstein steven@stevenfeuerstein.com www.stevenfeuerstein.com www.plsqlchallenge.com

Quick Reminders Download code and PowerPoint documents from www.toadworld.com/sf (aka, "PL/SQL Obsession"). Make sure you are comfortable with the material covered in the previous lessons in this series. Introduction and Overview; Executing Dynamic DDL, DML, Queries and PL/SQL Blocks; Dynamic SQL Method 4 Copyright 2010 Feuerstein and Associates Page 2

Best Practices for Dynamic SQL Stored programs with dynamic SQL should be defined as AUTHID CURRENT_USER. Consider making your dynamic DDL programs autonomous transactions. Always EXECUTE IMMEDIATE a variable, not a literal string. Avoid concatenation; bind whenever possible. Take steps to avoid SQL injection vulnerabilities. Copyright 2010 Feuerstein and Associates Page 3

Use AUTHID CURRENT_USER (invoker rights) This best practice applies to stored program units that execute dynamic SQL, and can be called from other schemas. In this case, consider defining those programs with AUTHID CURRENT_USER. Otherwise, the dynamic SQL operation could have an unintended effect. Objects in the SQL statements will be resolved using the privileges of the owner, not the invoker. dropwhatever_authid.sql Copyright 2010 Feuerstein and Associates Page 4

Use Autonomous Transaction with Dynamic DDL When a DDL statement is executed, Oracle performs an implicit commit. Executing DDL in PL/SQL will, therefore, also commit any outstanding changes in your session. To avoid this, use the autonomous transaction Pragma to limit the scope of the commit. dropwhatever.sp Copyright 2010 Feuerstein and Associates Page 5

EXECUTE IMMEDIATE a variable, not literal It isn't hard to learn the syntax for using EXECUTE IMMEDIATE. The hard part is constructing the often very complex SQL statement. Always construct that statement and assign it to a variable. Then EXECUTE IMMEDIATE the variable. Then if something goes wrong you can log or view the statement and more easily identify the mistake you made. dropwhatever.sp Copyright 2010 Feuerstein and Associates Page 6

Bind Whenever Possible When you SQL statement needs to use values of variables in your block, you have two choices: Concatenate those values directly into the dynamic SQL string. Bind the value into the string through a placeholder. Generally, you should avoid concatenation, and bind whenever possible. Benefits include: The resulting code is much easier to use. You can avoid unnecessary parsing, since the SQL statement is not physically changing. Minimize the chance of injection (covered later). useconcat*.* usebinding.sp toomuchbinding.sp ultrabind.* Copyright 2010 Feuerstein and Associates Page 7

SQL (code) Injection "Injection" means that unintended and often malicious code is inserted into a dynamic SQL statement. Biggest risk occurs with dynamic PL/SQL, but it is also possible to subvert SQL statements. SQL injection is a very complex topic and cannot be adequately addressed in this lesson. I will go over the basics, but recommend you study up with the experts... Alexander Kornbrust at www.red-database-security.com Pete Finnegan at www.petefinnegan.com Copyright 2010 Feuerstein and Associates Page 8

Protection from SQL Injection Restrict privileges tightly on external user schemas. No create, drop, etc. privileges Use bind variables whenever possible. You can't inject through a value. Check dynamic text for dangerous text. Use DBMS_ASSERT to validate object names, like tables and views. Preface all built-in packages with "SYS." code_injection.sql sql_guard.* dbms_assert_demo.sql Copyright 2010 Feuerstein and Associates Page 9

NDS or DBMS_SQL: Which should you use? Reasons to go with native dynamic SQL: Ease of use Works with all SQL datatypes (including userdefined object and collection types) Fetch into records and collections of records Usually faster runtime performance Why You'd Use DBMS_SQL: Method 4 Dynamic SQL DESCRIBE columns of cursor SQL statements larger than 32K (prior to 11g) Better reuse of parsed SQL statements -- persistent cursor handles! Bottom line: Native dynamic SQL should be your first choice. And in Oracle11g, you can move back and forth between the two approaches, to optimize the use of both. Copyright 2010 Feuerstein and Associates Page 10

Dynamic SQL Conclusions The increased complexity of dynamic SQL means that you need to take more care to write code that is easy to understand and maintain. The techniques recommended in this lesson will help you achieve this goal. Copyright 2010 Feuerstein and Associates Page 11

Next Steps Download the demo.zip if you have not already (www.toadworld.com/sf). Run the sample code yourself to better understand the features and techniques. Apply all that you have learned in this series! Copyright 2010 Feuerstein and Associates Page 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information