Create command thowrs ORA-01036: illegal variable name/number exception

Question

I am working on fixing an SQL Injection flaw reported by some tool. Our application was reading Oracle queries from an xml. The query is shown below...

<CommandText>create user &amp;USERNAME identified externally</CommandText>

In the program, the query was modified as follows...

create user User_05 identified externally

I was asked to add parameter statements to avoid SQL Injection. So I did similar thing as shown below...

OracleCommand command = connection.CreateCommand();
command.CommandText = "create user :USERNAME identified externally";
string attrName = "USERNAME";
string valueToBePut = "User_05";
command.Parameters.Add(new OracleParameter(attrName, valueToBePut));
command.ExecuteNonQuery();

and when I tried to execute the query. It is failing with the following exception:

{"ORA-01036: illegal variable name/number"}

Can anyone help me on this. What I might be doing wrong here?

Thanks.

Answer 1

To prevent someone exploiting this code, you should check if the entered values are save. Oracle provides the DBMS_ASSERT package to do this for you.

What I would do is create a stored procedure which accepts the username an argument. This stored procedure would create the database user for you. The stored procedure would verify the argument if there is no SQL Injection using

DBMS_ASSERT.QUALIFIED_SQL_NAME ();

Your code would bind the input to calling that stored procedure.

Check out the DBMS_ASSERT package http://docs.oracle.com/database/121/ARPLS/d_assert.htm#ARPLS65375

What I don't understand is why you would want to create users on the fly...