How to Prevent SQL Injection in Teradata

Database

How to Prevent SQL Injection in Teradata

Hi Team,

I am new to Teradata.

Can anyone Please Provide me ways to Prevent SQL Injection in Teradata.

TIA

Srikanth CHindam

4 REPLIES

Re: How to Prevent SQL Injection in Teradata

Hii Forum,

Please give me possible ways to prevent SQL Injection for this Sample Code.


 

REPLACE PROCEDURE X_SAMPLE (in X VARCHAR(20) )

BEGIN

CALL DBC.SYSEXECSQL('UPDATE Stud_Marks SET id=3 where name='''||X);

END;

 

CALL X_SAMPLE('abc'' OR 1=1');

 


thanks in advance.

--Srikanth.CHindam

Enthusiast

Re: How to Prevent SQL Injection in Teradata

Hi Srikanth,

Unlike web application, DW Users access is limited based on his/her role and never authorized to make changes on final target table. Data Injection is handled only by Batch operation team in DW environment after testing in all levels.

When you open access to subset data, never trust any user, good to cover SQL Injection scenarious. In this case, before executing the dynamic query add validation steps like:

a. input variable length

b. data type passed

c. NOT LIKE '%1=1%'

Thanks!!

Senior Apprentice

Re: How to Prevent SQL Injection in Teradata

Simply use parameters instead of Dynamic SQL.

Re: How to Prevent SQL Injection in Teradata

Thank you VeluNatarajan and Dieter Noeth.

Hi Dieter,

I think its better not to write parameterised(char type) statements in Dynamic SQL.

Is my assumption correct..?

Thank you

:) :)