A connection string injection attack can occur when dynamic string concatenation is used to build connection strings based on user input. If the string is not validated and malicious text or characters not escaped, an attacker can potentially access sensitive data or other resources on the server. For example, an attacker could mount an attack by supplying a semicolon and appending an additional value. The connection string is parsed using a "last one wins" algorithm, so the hostile input would be substituted for a legitimate value.
msdn
And why rational escaping mechanism is not provided for every eventually? It's all the same impossible to specify any symbol in the password.
using Oracle.DataAccess.Client;
namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{
System.Data.OracleClient.OracleConnectionStringBuilder builder =
new System.Data.OracleClient.OracleConnectionStringBuilder();
builder.DataSource = "dev";
builder.Pooling = false;
builder.UserID = "user";
builder.Password = "a\"';1234";
OracleConnection connection = new OracleConnection();
connection.ConnectionString = builder.ConnectionString;
connection.Open();
}
}
}
No comments:
Post a Comment