prevent sql injection in oracle "order by" part
To help guard against SQL injection on the database side, have a look at the DBMS_ASSERT
built-in Oracle package: http://docs.oracle.com/cd/B28359_01/appdev.111/b28419/d_assert.htm
You might find the SIMPLE_SQL_NAME
function will help protect against SQL Injection for your ORDER BY
clause.
Hope it helps...
You could limit the choice of sort order. Most applications only let the users sort by a displayed column, the user could pick which column to sort through its column place.
In this case you would only accept an integer from the user (you could accept a negative number to sort by descending order). You could let the user sort by several columns by accepting a list of integers.
Integers are easy to check and this would not expose the underlying column names to the user.
One way I used though for slightly different reasons was to useOrder By 3,2 (3rd column, second column)
So if you can figure out column name entered by the user position in columns of the output, indirection should kill the injection vector.