zpa icon indicating copy to clipboard operation
zpa copied to clipboard

Published 20 hours ago verified publisher icon felipebz

Simple SQL Injections not detected

Open isgroup-srl opened this issue 5 years ago • 3 comments

The plugin does not detect easy to spot SQL Injections as the following:

CREATE OR REPLACE PROCEDURE putlineDesc ( vname IN VARCHAR2 ) AS
   TYPE rcursor IS REF CURSOR;
   cur rcursor;
   vdesc VARCHAR2(1000);
   vsql VARCHAR2(4000);
BEGIN
   vsql := 'SELECT description FROM products WHERE name=''' || vname || '''';
   OPEN cur FOR vsql;
   LOOP
      FETCH cur INTO vdesc
      EXIT WHEN cur%NOTFOUND;
      dbms_output.put_line(vdesc);
   END LOOP;
   CLOSE cur;
END;

vname is the vulnerable input.

Instead the project result as clear:

screenshot from 2018-12-13 14-40-00

isgroup-srl avatar Dec 13 '18 13:12 isgroup-srl

Yes, this was expected since there are no rules checking for SQL injection yet.

felipebz avatar Dec 14 '18 02:12 felipebz

@felipebz it would be super cool!

isgroup-srl avatar Dec 18 '18 16:12 isgroup-srl

@felipebz - that would make life much easier ...

term73 avatar Aug 24 '21 07:08 term73