Java Mailing List Archive

http://www.dba.5341.com/

Home » Home (12/2007) » oracle l »

RE: Securing forms over Oracle 10gAS

Reidy, Ron

2006-03-17


Message
Paula,
 
I think writing the rules to prevent SQL injection for mod_security would be the never ending, always incomplete job.
 
If you want to protect against SQL injection, you will need to validate all input and always use bind variables.  I know this sounds overly simplistic, but check out the results of this Google search: http://www.google.com/search?q=sql+injection+oracle&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official
 
Securing Apache is a large subject.  Adding Oracle to the equation just increases the complexity of the issue, because of the things you should lock down on the database and database software sides.  I think using mod_security is a step in the right direction, but, you should also consider installing Apache on a different sever, or at least, a separate ORACLE_HOME, and putting it in a jail.
 
Just my $0.02.
 
--
Ron Reidy
Lead DBA
Array BioPharma, Inc
 
-----Original Message-----
From: oracle-l-bounce@freelists.org [mailto:oracle-l-bounce@freelists.org] On Behalf Of Stankus, Paula
Sent: Friday, March 17, 2006 12:00 PM
To: ora_forum@yahoo.com; oracle-l@freelists.org
Subject: RE: Securing forms over Oracle 10gAS

We wish to secure forms over 10gAS from SQL injection… while providing internet access.  We are experimenting with mod_security.conf for Apache but when we enable it we get the forms error:  FRM-92102.

 

Is this the best way to secure forms and does anyone have experience configuring mod_security.conf?

 

Thanks in advance.

Paula  

This electronic message transmission is a PRIVATE communication which contains information
which may be confidential or privileged. The information is intended to be for the use of the individual
or entity named above. If you are not the intended recipient, please be aware that any disclosure,
copying, distribution or use of the contents of this information is prohibited. Please notify the sender
of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0),
and then delete it from your system.

©2008 dba.5341.com - Jax Systems, LLC, U.S.A.