I was reading an interesting article about SQL Injection and found that we can set the NLS_DATE_FORMAT this way too.
14:14:43 SQL> ALTER SESSION SET NLS_DATE_FORMAT = '"THIS IS A SINGLE QUOTE ''"';
Session altered.
Elapsed: 00:00:00.00
15:46:49 SQL> SELECT SYSDATE FROM DUAL;
SYSDATE
------------------------
THIS IS A SINGLE QUOTE '
Interesting stuff. Apparently we can use this the above setting to inject procedure which do not have any parameters passed too. Read this for me.
No comments:
Post a Comment