[Openroad-users] SQL Injection with EA Connection

Paul White pwhite at peerlessit.com.au
Thu Sep 13 07:29:53 EST 2007 

Hi Chris,
I'd vote against any changes which allow SQL to be injected outside of
control of the application. Some of our apps provides a window to the
database which allow the user to freely type SQL and OpenROAD commands
for running offline. These functions are released to specific users and
are fully audited.


I suppose you could issue a sp_setapprole inside direct execute
immediate.


We modify session characteristics with direct execute like this:

    select :Lv_ServerClass = ifnull(dbmsinfo('Server_Class'),'');
    inquire_sql (Li_RtnStatus = errorno, Lv_Msg = errortext);

    if Li_RtnStatus <> 0 then
        Lv_Msg = 'Error determining server class. Error=' + Lv_Msg;
    elseif Lv_ServerClass = 'MSSQL' then
        direct execute immediate 'SET TRANSACTION ISOLATION LEVEL READ
UNCOMMITTED';
        commit;
        direct execute immediate 'SET LOCK_TIMEOUT 10000';
        commit;
        direct execute immediate 'SET XACT_ABORT ON';
        commit;
    elseif Lv_ServerClass = 'Ingres DBMS Server' then
        set lockmode session where readlock = nolock, timeout = 10;
        commit;
    else 



-----Original Message-----
From: openroad-users-bounces at peerlessit.com
[mailto:openroad-users-bounces at peerlessit.com] On Behalf Of Chris Clark
Sent: Thursday, 13 September 2007 3:14 AM
To: International OpenROAD Users
Subject: Re: [Openroad-users] SQL Injection with EA Connection

Pete Rabjohns wrote:
>
> Does anyone know of any back door methods to inject some SQL into a 
> database connection initiated by Enterprise Access before it does any 
> of it's own SQL, or even afterwards.
>

No :-( May be a good feature request.

> , but before it returns control to the OpenROAD application?
>

This could be done with good old ING_SET, so the SQL would be ran before
OpenROAD gives control to frames/scripts. If it is host specific SQL you
would probably need to wrap it in Direct Execute Immediate 'HOST SQL'.

Modifying the application would be the more straight forward option
though.

Hope that helps,

Chris

________________________________________________________________
OpenROAD-Users mailing list

You can maintain your subscription here:
http://www.peerlessit.com/mailman/listinfo/openroad-users

To unsubscribe click on this link
mailto:openroad-users-unsubscribe at peerlessit.com&subject=unsubscribe

To subscribe click on this link
mailto:openroad-users-subscribe at peerlessit.com&subject=subscribe

More information about the Openroad-users mailing list