Oracle PL/SQL and SQL grammars

Pete Finnigan <>
21 Nov 2003 00:48:37 -0500

          From comp.compilers

Related articles
Oracle PL/SQL and SQL grammars (Pete Finnigan) (2003-11-21)
| List of all articles for this month |

From: Pete Finnigan <>
Newsgroups: comp.compilers
Date: 21 Nov 2003 00:48:37 -0500
Keywords: SQL, question
Posted-Date: 21 Nov 2003 00:48:37 EST

Hi everyone,

I have searched on google and could not find anything on the
availability of grammars for PL/SQL and Oracle (dialect) SQL. I am
looking at how to implement a free "tool" to detect SQL and PL/SQL
Injection attempts against an Oracle database and have come to the
conclusion I need to be able to parse these two languages in some way.

To give you all some background I have written three papers on the
subject "SQL Injection and Oracle : Part 1" "SQL injection and Oracle
Part 2" and "Detecting SQL injection in Oracle" - links to all the
papers if anyone is interested to know what this is about are at

What I want to be able to do is stream raw data through a "program" -
this data will include SQL and PL/SQL statements as well as network
stuff and data from the database. I want to be able to recognise genuine
syntax and discard most of the rest (although i want to capture timing
and user (if available), after grabbing the genuine SQL or PL/SQL i then
want to apply any number of stored rules - for instance - existence of a
select statement including a "union" but only if the table accessed is
owned by the user SYS. PL/SQL examples are more convoluted.

I am not a compiler / parser expert but i learn fast and can code well
in C so i was thinking in terms of flex, bison for grabbing the oracle
code and regular expressions for the rules or possibly a simple language
so that false checks can be aborted quicker?

If anyone has any ideas about where to get the grammer or even if i
would not need the whole grammer then i would be grateful for comments.

Thanks in advance and kind regards

Pete Finnigan
Web site: - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see for details.
[I think you need some fairly simple pattern matching to look for stuff
that resembles SQL statements, then parse what you find and see if it
passes. SQL all starts with a keyword like SELECT or INSERT and in a
context like this a statement probably runs up to the next non-text character
in the data stream. -John]

Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.