[36827] in bugtraq
Re: Oracle 9i Union Flaw
daemon@ATHENA.MIT.EDU (Peter J. Holzer)
Mon Oct 4 15:04:47 2004
Date: Mon, 4 Oct 2004 14:56:47 +0200
From: "Peter J. Holzer" <hjp@wsr.ac.at>
To: bugtraq@securityfocus.com
Message-ID: <20041004125647.GA15602@wsr.ac.at>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline
In-Reply-To: <20041001175530.2325.qmail@www.securityfocus.com>
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004-10-01 17:55:30 -0000, Brandon Petty wrote:
> I still think that if you are going to union two fields... that the
> results should not be stored under one of those fields headings if
> they are different.=20
That would be a major change in how union works in SQL - I think if this
was included in the next SQL standard, the committee would be lynched.=20
That would break code like
select name, phone from contacts union select name, mobile from contact=
s;
or even=20
select name, phone from employees union select name, phone from contact=
s;
if you check wether the full name (schema.table.field) is different.
It also doesn't help against SQL injections as the attacker can always
rewrite his query from=20
select login, password from foo union select pasword, login from foo;
to
select login, password from foo union
select password as login, login as password from foo;
> The issue with Oracle 9i not allowing you to miss match more than two
> fields is still strange.
I can't reproduce that:
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.4.0 - Production
SQL> create table foo (a int, b int, c int, d int);
Table created.
SQL> insert into foo values(1, 11, 111, 1111);
1 row created.
SQL> insert into foo values(2, 22, 222, 2222);
1 row created.
SQL> insert into foo values(3, 33, 333, 3333);
1 row created.
SQL> select * from foo;
A B C D
---------- ---------- ---------- ----------
1 11 111 1111
2 22 222 2222
3 33 333 3333
SQL> select a, b, c, d from foo union select d, c, b, a from foo;
A B C D
---------- ---------- ---------- ----------
1 11 111 1111
2 22 222 2222
3 33 333 3333
1111 111 11 1
2222 222 22 2
3333 333 33 3
6 rows selected.
Works as expected.
hp
--=20
_ | Peter J. Holzer | Shooting the users in the foot is bad.=20
|_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't.
| | | hjp@wsr.ac.at | -- Gordon Schumacher,
__/ | http://www.hjp.at/ | mozilla bug #84128
--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQDQAwUBQWFIj1LjemazOuKpAQHzSwXTB0hhziHGOh5nIkI4ybL3l7IJ6Srk2wlg
1X98r4Q1CoyevM+pbRZQ7+IRI6lJOdCaubhFmFWeOXLuZ0N8epkIyWAj+MrTah3i
is2ASiYSb3hrleVNuG2/fEtBQxNFNWNwMQSJ5vGafJMmJpERcxpdcdbBZlhVAZSx
uj79RkPEnsQfnvUFYIyNCrYYjhy6Gf89aWlOZdk13g21AOm42liggRQZQyebnro7
+zuUaOwg5oXb2Z9NgvqtQsiD6w==
=ZH+c
-----END PGP SIGNATURE-----
--+HP7ph2BbKc20aGI--
