Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Quoted usernames are not supported #920
An unfriendly DBA could inject SQL by creating a user. All parts building up a dynamic SQL or PL/SQL statements must be asserted accordingly. Even expressions like
1. Create user
2. Create test
The server output is:
In this case the test just failed without side effects. However, it shows two things:
a) utPLSQL expects and supports certain style of usernames only (no enquoted user names)
b) the potential risks of SQL injection.
The test case above works. 1 test executed successfully.