All Forums Database
srikanthchindam 3 posts Joined 06/15
17 Jun 2015
How to Prevent SQL Injection in Teradata

Hi Team,
I am new to Teradata.
Can anyone Please Provide me ways to Prevent SQL Injection in Teradata.

TIA
Srikanth CHindam

srikanthchindam 3 posts Joined 06/15
17 Jun 2015

Hii Forum,
Please give me possible ways to prevent SQL Injection for this Sample Code.

 
REPLACE PROCEDURE X_SAMPLE (in X VARCHAR(20) )
BEGIN
CALL DBC.SYSEXECSQL('UPDATE Stud_Marks SET id=3 where name='''||X);
END;
 
CALL X_SAMPLE('abc'' OR 1=1');
 

thanks in advance.
--Srikanth.CHindam

TDThrottle 51 posts Joined 11/11
20 Jun 2015

Hi Srikanth,
Unlike web application, DW Users access is limited based on his/her role and never authorized to make changes on final target table. Data Injection is handled only by Batch operation team in DW environment after testing in all levels.
When you open access to subset data, never trust any user, good to cover SQL Injection scenarious. In this case, before executing the dynamic query add validation steps like:
a. input variable length
b. data type passed
c. NOT LIKE '%1=1%'
Thanks!!
 

dnoeth 4628 posts Joined 11/04
20 Jun 2015

Simply use parameters instead of Dynamic SQL.

Dieter

srikanthchindam 3 posts Joined 06/15
24 Jun 2015

Thank you VeluNatarajan and Dieter Noeth.
Hi Dieter,
I think its better not to write parameterised(char type) statements in Dynamic SQL.
Is my assumption correct..?
Thank you
:) :)
 
 

You must sign in to leave a comment.