Re: ecmascript 5 DATESTYLE

Pavel Stehule wrote:
> see google: lateral sql injection oracle NLS_DATE_FORMAT
>
> I would to like this functionality too - and technically I don't see a
> problem - It's less than 100 lines, but I don't need a new security
> problem. So my proposal is change nothing on this integrated
> functionality and add new custom date type - like cdate that can be
> customized via GUC.
>
> Regards
> Pavel

OK I found www.databasesecurity.com/dbsec/lateral-sql-injection.pdf. From the way I read this, the exploit relies on
adjustingthe 
 
NLS_DATE_FORMAT to an arbitrary string which is then used for the 
attack, To me this is easy to code against, simply lock the date format 
right down and ensure that it is always controlled. IMHO I don't see an 
Oracle specific attack as a reason why we can't have a generic format. 
Surely we can learn from this known vulnerability and get another one up 
on Oracle?

Thanks,

-- 
Mike Fowler
Registered Linux user: 379787

"I could be a genius if I just put my mind to it, and I,
I could do anything, if only I could get 'round to it"
-PULP 'Glory Days'