0
Ich versuche, einige sterilisierte XML in eine Tabelle mit dbms_store.insertXML einzufügen. Die Einfügung muss Sonderzeichen und nicht ihre Escape-Entsprechung speichern.Einfügen von Sonderzeichen mit dbms_store.insertXML
Beispiel Tabelle:
CREATE TABLE xml_test
(
key_num NUMBER,
value_desc VARCHAR2 (1000)
);
Beispiel Funktion DBMS_XMLSTORE:
CREATE OR REPLACE FUNCTION fn_insertxml
(
pi_xmldoc IN CLOB,
pi_tablename IN VARCHAR2
)
RETURN NUMBER
IS
v_ctx_type DBMS_XMLSTORE.ctxtype;
v_rows NUMBER;
BEGIN
-- Set the context to the table to be inserted into
v_ctx_type := DBMS_XMLSTORE.newcontext (pi_tablename);
-- Insert document
v_rows := DBMS_XMLSTORE.insertxml (v_ctx_type, pi_xmldoc);
-- Close the context
DBMS_XMLSTORE.closecontext (v_ctx_type);
RETURN v_rows;
END fn_insertxml;
Beispielcode:
DECLARE
k_injected_input CONSTANT VARCHAR2 (4000) := q'[<![CDATA[x]]></VALUE_DESC><KEY_NUM>-1</KEY_NUM><VALUE_DESC><![CDATA[example text]';
k_xml_doc CONSTANT VARCHAR2 (4000) := q'[<ROWSET><ROW num='0'><KEY_NUM><![CDATA[1]]></KEY_NUM><VALUE_DESC><![CDATA[%s]]></VALUE_DESC></ROW></ROWSET>]';
v_row_num NUMBER;
v_sanitised_input varchar2(4000);
v_xml_doc VARCHAR2 (4000);
BEGIN
--Sanitised input
v_sanitised_input := DBMS_XMLGEN.CONVERT (k_injected_input, DBMS_XMLGEN.entity_encode);
--If I insert this as it is, the sanitized input is stored
v_xml_doc := REPLACE (k_xml_doc, '%s', v_sanitised_input);
v_row_num := fn_insertxml (v_xml_doc, 'XML_TEST');
--If I attempt to decode the xml it is open to XML injection (key_num is set to -1)
v_sanitised_input := DBMS_XMLGEN.CONVERT (v_sanitised_input, DBMS_XMLGEN.entity_decode);
v_xml_doc := REPLACE (k_xml_doc, '%s', v_sanitised_input);
v_row_num := fn_insertxml (v_xml_doc, 'XML_TEST');
END;
Wer irgendwelche Ideen hat?