|Oracle PL/SQL and SQL grammars firstname.lastname@example.org (Pete Finnigan) (2003-11-21)|
|From:||Pete Finnigan <email@example.com>|
|Date:||21 Nov 2003 00:48:37 -0500|
|Posted-Date:||21 Nov 2003 00:48:37 EST|
I have searched on google and could not find anything on the
availability of grammars for PL/SQL and Oracle (dialect) SQL. I am
looking at how to implement a free "tool" to detect SQL and PL/SQL
Injection attempts against an Oracle database and have come to the
conclusion I need to be able to parse these two languages in some way.
To give you all some background I have written three papers on the
subject "SQL Injection and Oracle : Part 1" "SQL injection and Oracle
Part 2" and "Detecting SQL injection in Oracle" - links to all the
papers if anyone is interested to know what this is about are at
What I want to be able to do is stream raw data through a "program" -
this data will include SQL and PL/SQL statements as well as network
stuff and data from the database. I want to be able to recognise genuine
syntax and discard most of the rest (although i want to capture timing
and user (if available), after grabbing the genuine SQL or PL/SQL i then
want to apply any number of stored rules - for instance - existence of a
select statement including a "union" but only if the table accessed is
owned by the user SYS. PL/SQL examples are more convoluted.
I am not a compiler / parser expert but i learn fast and can code well
in C so i was thinking in terms of flex, bison for grabbing the oracle
code and regular expressions for the rules or possibly a simple language
so that false checks can be aborted quicker?
If anyone has any ideas about where to get the grammer or even if i
would not need the whole grammer then i would be grateful for comments.
Thanks in advance and kind regards
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
[I think you need some fairly simple pattern matching to look for stuff
that resembles SQL statements, then parse what you find and see if it
passes. SQL all starts with a keyword like SELECT or INSERT and in a
context like this a statement probably runs up to the next non-text character
in the data stream. -John]
Return to the
Search the comp.compilers archives again.