zpa
zpa copied to clipboard
Simple SQL Injections not detected
The plugin does not detect easy to spot SQL Injections as the following:
CREATE OR REPLACE PROCEDURE putlineDesc ( vname IN VARCHAR2 ) AS
TYPE rcursor IS REF CURSOR;
cur rcursor;
vdesc VARCHAR2(1000);
vsql VARCHAR2(4000);
BEGIN
vsql := 'SELECT description FROM products WHERE name=''' || vname || '''';
OPEN cur FOR vsql;
LOOP
FETCH cur INTO vdesc
EXIT WHEN cur%NOTFOUND;
dbms_output.put_line(vdesc);
END LOOP;
CLOSE cur;
END;
vname
is the vulnerable input.
Instead the project result as clear:
Yes, this was expected since there are no rules checking for SQL injection yet.
@felipebz it would be super cool!
@felipebz - that would make life much easier ...