Comments on: Using AJAX within Oracle Application Express

By: Niels Leunen

Niels Leunen — Thu, 13 Sep 2007 10:40:00 +0000

Hi,Thanks for this interesting information concerning SQL Injection. For this reason we only use this ‘method’ in an inTRAnet environment. I will mention this security risk in the blog itself. It may indeed be a good idea to check all AJAX calls against a database table to make sure the call is permitted.

By: Chris

Chris — Tue, 04 Sep 2007 10:40:00 +0000

Hi!I think this is some kind of proof of concept, but this implementation leaves your database wide open to sql injection attacks. You should make sure that the possible procedure calls are limited, e.g. by checking the argument against a table.

By: Patrick Wolf

Patrick Wolf — Mon, 03 Sep 2007 18:15:00 +0000

Hi Niels,you should reconsider that code, because that introduced into your application/database a huge SQL injection door.Consider that your application schema is often a high privileged user, sometimes even with DBA privileges. All your APEX code is executed with the privileges of your application schema/user. So basically you can do everything with that user.I just have to do an AJAX call withEXECUTE IMMEDIATE ”CREATE USER ABC IDENTIFIED BY xxx;” as string and another one where I grant DBA privileges and I have my own user in your database…Patrick

By: John Scott

John Scott — Mon, 03 Sep 2007 18:12:00 +0000

Hi Niels,Very nice write up, however just be aware that passing through the code you want to execute via the JavaScript function could potentially open up a very big security hole in your application.So, unless you *really* trust your end users, you might want to add some ‘sanity checking’ to the code to stop people executing arbitrary procedures (i.e. they could modify the JavaScript themselves and have it execute any code they like on the server).John.