Ask Anantha

SQL Injection as the name suggests is injecting arbitrary SQL commands or clauses into an executing program to defeat its purpose. Why does one inject SQL commands to defeat the purpose of a procedure. The answer is 'hackers'. Hackers are always looking for easy preys to steal another ones information. In this age of Information Technology, unnoticed stealing is for information. The information thus gathered can be consolidated by an experienced hacker and cause 'hell lot of trouble'. Now as we are clear of the intentions of defeating a program, we will understand the simple types of SQL Injection which are very well-known. First Order Attack Second Order Attack Lateral Injection First Order Attack is caused when a hacker simply modifies the string passed to a procedure and adds a malicious string to make the program work even if without valid data.  For example consider the following code: create table users (username varchar2(20), password varchar2(20)); ...

Have you heard of JSP? Have you heard of ASP? Have you heard of PHP? Of course I have heard of them all. They all does one function, generate web pages dynamically to deliver a nice and rich front-end to the web. But Have you heard of PSP? What? PSP is acronym for Oracle's PL/SQL Server Pages. Oracle has this kind of capability? Well Oracle always has this sort of capability but it was called in a rather different name. It was and is called PL/SQL Web Toolkit. But rather unknown or less used fact is Oracle also has an extension to this. This is called as PSP. I have created a whitepaper which is here for you to read: For those who are unable to view the presentation in this web page or to view in Full screen, click here .

One point which is usually overseen with the usage of TO_CHAR() is the leading space that it returns when converting a number to character . Example: select length(to_char('109','000.00')) from dual; TO_CHAR('109','000.00') " 109.00" Do you notice the leading space that TO_CHAR() has returned? If you have not noticed and surprised, execute this and find it for yourself. This is not a bug. The Reason is Oracle reserves the first character for Sign. If you won't beleive me, execute the following statement: select to_char('-109','000.00') from dual; TO_CHAR('-109','000.00') "-109.00" Notice that the length of the string has not increased with the negative value being converted by TO_CHAR(). Hold on your tendency of calling TRIM() function to trim out the space. TO_CHAR() has a format model that suppresses this trailing space. To suppress this leading space simply use the FM (stands for...