I guess you will ask me, what’s wrong here?
The problem is that Oracle is not MySQL, and it simply doesn’t \”know\” about any shielding in the form of backlashes 🙂 Oracle doesn’t consider the concept of shielding at all, because it’s a serious DBMS:
It should be mentioned that we have met a lot of Oracle DBMSs during the last penetration testing, and most of them contained the described vulnerability, i.e. they had a universal login \”\’or(1)=(1)–\” (aka SQL Injection).
A similar feature of interpretation of a backslash (\”\\\”) as an independent symbol is characteristic for Microsoft SQL Server, too:
For the Sybase database, we have:
Thus, it is necessary to take such features of DBMSs into account in the course of programming and porting your applications to various databases to avoid problems relating to SQL Injection.