Shulou(Shulou.com)06/01 Report--

1. Functions can only be called directly after query statements, but stored procedures can not be called directly. For example, select function () from dual is OK, but select procedure () from dual is not allowed.

two。 DML or DDL cannot be performed in the query statement, that is, if there are write operations such as insert, update, delete, create, etc., in the called function, an error will be reported unless the function is declared as an autonomous transaction, the keyword PRAGMA AUTONOMOUS_TRANSACTION

Create or replace function funinject (ftable varchar2, fcol varchar2) return pragma autonomous_transaction;my_sql varchar2 (1000); begin my_sql: = 'update' | | ftable | | 'sets' | | fcol |'= 'hack'''; execute immediate my_sql; commit; return' inject'end funinject

3. If there are write operations such as insert, update, delete, create in the function, it can only be injected into subqueries such as insert, update, delete, for example: insert into table values (1 select function () from dual)

4. Oracle cannot inject multiple statements unless the injected SQL dynamic statement is between begin and end, for example:

Create or replace function funinjecting (ftable varchar2, fcol varchar2) return varchar2 is my_sql varchar2 (1000); begin my_sql: = 'begin update' | | ftable | | 'set' | | fcol |'= 'hack'';end;'; execute immediate my_sql; return' inject'end funinjecting

Tools for unwrap Oracle SQL source code

Http://yun.baidu.com/s/1kTgP2SZ

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.