SQL Injection in PL/SQL – myth or fact?

  • A+

I am trying to hack my PL/SQL code. We create the PL/SQL procedure that opens and fetch the cursor. By our standard we did create a dynamic SQL statement, but we are unable to inject the OR 1=1 condition.

I did prepare a http://sqlfiddle.com/#!4/a62a3/5 demo, where you can try to inject the code.

CREATE FUNCTION get_documents (p_document_id IN DOCUMENTS.DOCUMENT_ID%TYPE)     RETURN SYS_REFCURSOR AS     p_rs SYS_REFCURSOR; BEGIN     DBMS_OUTPUT.PUT_LINE('------ INPUT VALUES ------');     DBMS_OUTPUT.PUT_LINE('p_document_id: ' || p_document_id);      OPEN p_rs FOR          SELECT DOCUMENT_ID, '(' || MY_FIELD || ')' FROM DOCUMENTS WHERE DOCUMENT_ID = '' ||  p_document_id  || '';     RETURN p_rs; END; 

We tried to inject the code in p_document_id parameter. We set it to:

 document_refcur_local:=get_documents('10'' OR 1=1; -- '); 

but we were unable to select all records. Could you please let me know what am I doing it wrong?


This is not in fact a dynamic statement and so is not vulnerable to an injection.

If you built this string from a front-end with string concatenation of the p_document_id outside of the SQL query - then sent it to SQL, it would be vulnerable, but you cannot do the injection in the SQL query itself (Unless building a string then running it, i.e. a dynamic query, which yours is not doing)

A dynamic query vulnerable to injection would look more like;


And you could inject by passing as someUserInput something like

' OR 1=1; -- 


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: