Injection

SQL Injection can occur when untrusted data is used in a command or query. If an attacker sends hostile data, this can result in executing harmful commands or in unauthorised access of data.

To prevent injection when you write you own PL/SQL code to access the Oracle DMW APIs, your code should:

• Use parameterised queries. Use prepared statements rather than generating dynamic SQL.
• Use bind variables. Use bind variables to enter input values into SQL statements.
• Validate user input. White list input validation is preferred to ensure that the input is an expected value. As appropriate for different data types: check the input length, check for a permitted value, check for proper format, check for permitted characters, and/or check minimum and maximum value ranges.