Applied Oracle Security: Developing Secure Database and Middleware Environments- P51:Computer security is a field of study that continues to undergo significant changes at an extremely fast pace. As a result of research combined with increases in computing capacity, computer security has reached what many consider to be “early adulthood.” From advances in encryption and encryption devices to identity management and enterprise auditing, the computer security field is as vast and complex as it is sophisticated and powerful | 474 Part IV Applied Security for Oracle APEX and Oracle Business Intelligence Kochhar - 17000 De Haan - 17000 Hunold - 9000 Ernst - 6000 Austin - 4800 Pataballa - 4800 . Gietz - 8300 107 Rows Returned Now we can see all 107 rows How did this happen 1. By including the single quote after Grant the where predicate has the correct syntax. 2. Adding or 1 1 essentially negates the where predicate and returns every row since 1 will always equal 1. 3. The -- at the end of the statement is the comment operator in Oracle SQL which comments out the trailing single quote that is in the original procedure. Remember that we already closed the quote in step 1. The addition of this predicate completely changes the result set of the query. Instead of simply passing different last names to the procedure we are able to construct parameters that will modify the structure of the query. The more an attacker knows about a system the more effectively he can plan an attack. In the next example we will pass a more sophisticated parameter to the same procedure to start investigating the data dictionary views. hr@aos exec sql_injection q ZZZ union select null null table_name last_name null null null null null null null null from user_tables -- COUNTRIES -DEPARTMENTS -EMPLOYEES -JOBS -JOB_HISTORY -LOCATIONS -REGIONS -7 Rows Returned Here s the breakdown of this attack 1. The first part of the parameter is ZZZ . This simply returns no rows from the employees table and closes the first quote. This was intentional since we already have all of the rows in the preceding example. 2. Next we union in our own query. The syntax of a union operator is such that both queries need to have the same number and type of columns so an attacker would need to keep adding null columns until he received a result. 3. Once again we comment out the trailing single quote since we already closed it in step 1. A variation on this attack might be to query the USER_TAB_COLUMNS table to find all the columns in the .