Shulou(Shulou.com)06/01 Report--

Http://www.itpub.net/thread-1499223-21-1.html

207 floor

I create the following two tables and fill in the data:

CREATE TABLE plch_names1 (name VARCHAR2) / CREATE TABLE plch_names2 (name VARCHAR2) / BEGIN INSERT INTO plch_names1 VALUES ('Paul'); INSERT INTO plch_names1 VALUES (' Ringo'); INSERT INTO plch_names1 VALUES ('John'); INSERT INTO plch_names1 VALUES (' George'); INSERT INTO plch_names2 VALUES ('Jerry'); INSERT INTO plch_names2 VALUES (' Bob'); INSERT INTO plch_names2 VALUES ('Phil'); COMMIT;END;/

Then I created this function to return a cursor containing the data for the name column of the specified table name:

CREATE OR REPLACE FUNCTION plch_get_names (table_in IN VARCHAR2) RETURN SYS_REFCURSORIS l_cv SYS_REFCURSOR;BEGIN OPEN l_cv FOR 'select name from' | | table_in | | 'order by name'; RETURN lumped cvente end plch_get_names;/

Here is a "helper" procedure to display the data returned by this function:

CREATE OR REPLACE PROCEDURE plch_show_names (table_in IN VARCHAR2) IS l_cv SYS_REFCURSOR; l_name plch_names1.name%TYPE;BEGIN DBMS_OUTPUT.put_line ('Names in' | | table_in); l_cv: = plch_get_names (table_in); LOOP FETCH l_cv INTO lhamame; EXIT WHEN lumbago% NOTFOUNDN; DBMS_OUTPUT.put_line (l_name); END LOOP; CLOSE l_cv END plch_show_names;/

When I execute the following code block, I can see the members of the Beatles and Grateful Dead bands. (that is, the data in the above two tables)

BEGIN plch_show_names ('plch_names1'); plch_show_names (' plch_names2'); END;/

Unfortunately, if I do this:

BEGIN plch_show_names ('plch_names2 where 1, 2 union select username from all_users -'); END;/

I see the names of all users in the database instance, which is a security violation (a SQL injection)

Which of the following plch_get_names functions will throw an exception if you pass in the "injection" parameter value, but if you pass in "real" table names such as plch_names1 and plch_names2, you can still see the data in the table?

(A)

BEGIN OPEN l_cv FOR 'select name from' | | DBMS_ASSERT.simple_sql_name (table_in) | | 'order by name'; RETURN lumped cvente end plch_get_names

(B)

BEGIN DBMS_ASSERT.simple_sql_name (table_in); OPEN l_cv FOR 'select name from' | | table_in | | 'order by name'; RETURN lumped cvente end plch_get_names

(C)

BEGIN OPEN l_cv FOR 'select name from' | | DBMS_ASSERT.qualified_sql_name (table_in) | | 'order by name'; RETURN lumped cvente end plch_get_names

(D)

BEGIN OPEN l_cv FOR 'select name from: table_name order by name' USING table_in; RETURN Lichtcvten end plch_get_names

The answer is on the 209th floor.

2011-12-01 answer AC.DBMS_ASSERT.SIMPLE_SQL_NAME checks whether a name is a simple name that can be used in SQL: the name must begin with a letter, followed by a number, letter, or _, $, # characters; double quotation marks are allowed and can be any character between double quotation marks; if the name within the double quotation marks itself is enclosed in double quotation marks, the double quotation marks must be repeated twice. Input parameters are ignored if there are spaces before and after them. The length of the name was not detected. DBMS_ASSERT.qualified_sql_name is more relaxed and is allowed to take. (decimal point (for record members, functions in PACKAGE, SCHEMA OWNER, etc.) and @ (for DBLINK) answer B: simple_sql_name is a function, not a stored procedure, and the return value must be assigned to the variable. Answer D: table names cannot be bound with variables.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.