Chapter 3

SQL Injection

The data-centric perspective of the APEX platform means that applications generally have a lot of PL/SQL code behind the scenes. Database queries are used in the background to generate the content, similar to other web application platforms. However, with APEX, PL/SQL code can also be used for application business logic, authentication, authorization, and even in the interface presentation layer.

Wherever you have Structured Query Language (SQL) statements, there is potential for SQL Injection. APEX applications can have two types of SQL Injection problems: through the use of substitution variables, and due to dynamic SQL statements. The former are specific to the APEX platform, whereas the latter are common to many web technology stacks.

Attacks against SQL statements started to be publicly reported in the late 1990s, and have grown in more recent years to become a significant attack vector. The term SQL Injection defines a vulnerability class affecting systems that interact with a database. Because modern web applications make heavy use of SQL, they are the most commonly targeted platform; however, SQL Injection attacks can affect almost every class of software.

The SQL syntax that is used in application database interactions can sometimes be manipulated by an end user (attacker), such that the intended query is modified to perform some unintended action. In the simplest case, a system that suffers from SQL Injection could be abused to return additional ...