Let's say you have a Java app which has a query which can unlock/reset passwords for users like:
ALTER USER " + iD_Of_User.toUpperCase() + " IDENTIFIED BY " + password_Of_User + " ACCOUNT UNLOCK
Where iD_Of_User
and password_Of_User
definitely come in directly from an HTTP request.
This is a pretty textbook SQL injection risk-- we're passing incoming, untrusted data directly to a query. However, when I try to parameterize the query-- I get an error when I try to use a PreparedStatement object to parameterize the dynamic values... I guess PreparedStatement's parameters can only be used for data values? And the ALTER query here is not using the values that way.
I don't think input validation is even possible here-- maybe on the iD_Of_User
value, but almost certainly not on the password_Of_User
value (which is sometimes used as a password reset-- so it's only restrictions are the Oracle 12c password standards).
Any help were would be greatly appreciated. I reviewed this post, but it didn't give me a good solution. I'm hoping someone knows of a good way to do password resets/account unlocks in Oracle which doesn't open the app up to SQL injection.