Prevent SQL Injection Attacks
One of the most common vulnerabilities in relational database applications is leaving the application open to SQL injection (described in Chapter 12). SQL injection is a technique that users can employ to insert SQL statements inside a string variable that is meant to hold query criteria values such that unintended results occur. For example, imagine a query screen that allows a customer to track an order. The screen exposes an Order Number field called q_ordernum. The user can enter a number and click the Find button to retrieve details of that order. Usually, the programmer or the framework code would include a SQL statement that uses the parameter value, such as:
stmt = "SELECT order_total, status FROM orders WHERE order_number = " + ...
Get Oracle JDeveloper 10g for Forms & PL/SQL Developers: A Guide to Web Development with Oracle ADF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.