I am new to stack– apologies if this isn’t allowed, I’m reposting this question here because this seems to be a more active community.
Let’s say you have a Java app which has a query which can unlock/reset passwords for users like:
ALTER USER " + iD_Of_User.toUpperCase() + " IDENTIFIED BY " + password_Of_User + " ACCOUNT UNLOCK
password_Of_User definitely come in directly from an HTTP request. Basically this.
I get an error when I try to use a PreparedStatement object to parameterize the dynamic values… I guess PreparedStatement’s parameters can only be used for data values? And the ALTER query here is not using the values that way.
I don’t think input validation is even possible here– maybe on the
iD_Of_User value, but almost certainly not on the
password_Of_User value (which is sometimes used as a password reset– so it’s only restrictions are the Oracle 12c password standards).
Any help were would be greatly appreciated. I reviewed this post, but it didn’t give me a good solution. I’m hoping someone knows of a good way to do password resets/account unlocks in Oracle which doesn’t open the app up to SQL injection.