I am new to Teradata.
Can anyone Please Provide me ways to Prevent SQL Injection in Teradata.
Please give me possible ways to prevent SQL Injection for this Sample Code.
REPLACE PROCEDURE X_SAMPLE (in X VARCHAR(20) )
CALL DBC.SYSEXECSQL('UPDATE Stud_Marks SET id=3 where name='''||X);
CALL X_SAMPLE('abc'' OR 1=1');
thanks in advance.
Unlike web application, DW Users access is limited based on his/her role and never authorized to make changes on final target table. Data Injection is handled only by Batch operation team in DW environment after testing in all levels.
When you open access to subset data, never trust any user, good to cover SQL Injection scenarious. In this case, before executing the dynamic query add validation steps like:
a. input variable length
b. data type passed
c. NOT LIKE '%1=1%'
Thank you VeluNatarajan and Dieter Noeth.
I think its better not to write parameterised(char type) statements in Dynamic SQL.
Is my assumption correct..?