Lateral SQL Injection

April 26, 2008 – 7:42 AM

How can an attacker exploit a PL/SQL procedure that doesn’t even take user input? Or how does one do SQL injection using DATE or even NUMBER data types? In the past this has not been possible but as this paper will demonstrate, with a little bit of trickery, you can in the Oracle RDBMS.

Read the full story here… (PDF)

You must be logged in to post a comment.