Is it possible to execute multiple statements in a single query using DBD :: Oracle?

Question

Is it possible to execute multiple statements in a single query using DBD :: Oracle?

I would like to know if it is possible to execute more than one SQL statement within one execute()or do()using DBD::OraclePerl DBI. Example:

# Multiple SQL statements in a single query, separated by a ";"
$sql = 'UPDATE foo SET bar = 123; DELETE FROM foo WHERE baz = 456';

$sth = $dbh->prepare($sql);
$sth->execute;

# ...or...

$dbh->do($sql);

I ask this not because I really want to do this, but because I want to assess the potential damage due to a successful SQL injection attack. And yes, I know that, regardless of the answer to this question, the possibility of SQL injection should still be eliminated in the root, using binding values and only trusted input, etc. But the question still remains: is it possible to DBD::Oracledo multiple statements?

As a related example, it DBD::mysqlhas mysql_multi_statements, which explicitly includes this function. I cannot shake the feeling that there is some kind of similar, possibly undocumented and incomprehensible Oracle OCI option, available in some way through DBD::Oracle, which will include the same thing.

In case it matters, it is:

perl 5.8.8
DBD::Oracle 1.22
Oracle 11g (01/11/0700)

+1

security oracle sql-injection perl dbi

John siracusa Jun 03 '09 at 16:04

source share

1 answer

Plasmer · Accepted Answer · 2009-06-03T16:11:23+0000

If there is a successful SQL injection attack, can an attacker just repeat it and run several statements in the same way?

Oracle supports anonymous PL / SQL blocks, which can contain multiple statements.

" " ", " drop table sales ", "

Oracle SQL-: http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm

Is it possible to execute multiple statements in a single query using DBD :: Oracle?

More articles: