使用准备好的语句进行 SQL 注入?
如果我没记错的话,我认为 Jeff 在 Stack Overflow 播客中提到了 SQL 准备语句中可能存在的弱点。 我想知道他指的是哪种弱点? 这可能只是不当使用,还是更险恶的事情?
据我记得,这个播客并没有深入探讨这个主题,只是顺便说一句。
If I remember correctly, I think Jeff has mentioned in the Stack Overflow podcast a possible weakness in SQL prepared statements. I'm wondering what kind(s) of weakness(es) did he refer to? Was it possibly just about inappropriate usage thereof, or something more sinister?
The podcast, to my remembering, didn't go deeper into the subject, it was just a pass-by-remark.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我认为他所说的是,当你使用Prepared Statements时,SQL Server可以缓存你的查询执行计划,因此,即使你修改执行查询上的某些参数,服务器也可能会选择错误的(可能是缓存的)执行计划那会表现得很糟糕。
他还提到了 SQL Server 2008 的一个新功能,可以强制引擎重新评估执行计划,他用这个功能来克服这种情况。
对于准备好的报表,我唯一遇到的问题就是这个。 考虑以下 Java 代码:
在这里,您可能期望,如果表(名称)上有索引,查询计划将使用它。 嗯,不会的。 因为 PraparedStatement 必须预编译并预期最坏的情况:例如“%PATTERN%”。 所以,它不会优化。 我花了一段时间才弄清楚这个问题。 它导致我的数据库受到影响。 :(
希望能帮助到你。
I think what he said was that, when you use Prepared Statements, SQL server could cache your query execution plan, so, even if you modify some of the parameters on the executing query, the server could pick the wrong (probably cached) execution plan that would perform very badly.
He also mentioned a new feature of SQL Server 2008 to force the engine to re-evaluate execution plans that he used to overcome this situation.
With Prepared Statements, the only issue I have is this. Consider the following Java Code:
Here you would expect that, if you have an index on table(name) it will be used by the query plan. Well, it won't. Because PraparedStatement must precompile and expect the worst: '%PATTERN%', for example. So, it won't optimize. It took me a while to figure this one out. It was causing my database to suffer. :(
Hope it helps.
除了正常的 SQL 注入(我们可以称之为一阶)攻击之外,还有二级攻击。 例如,存储过程使用字符串连接来构建然后执行的查询,这种情况并不罕见。 如果检索到的字段值的结果包含在此类串联中,则存在注入的危险。
Beyond the normal sql injection (what we might call first order) attack there are secondary levels. For example its not uncommon to have stored procedures use string concatenation to build a query which it then executes. If result of retrieved field values are included in such a concatenation then there is a danger of injection.
如果准备的语句具有以任何方式动态构造的参数,那么这很可能是弱点的根源。
如果您使用带有经过测试的类的正确数据库来设置参数,那么无论是否准备好语句,您都不会在任何时候面临 SQL 注入。
请记住,仅仅因为准备了语句,或者因为您正在使用存储过程,并不意味着您可以免受注入攻击。 只有当您使用数据库提供程序代码来清理参数输入(并将其应用于所有可以使用的参数)时,您才能获得针对 SQL 注入的保护。
If the statement that is prepared has the parameters dynamically constructed in any way, then that would more than likely be the source of the weakness.
If you use a proper database library with tested classes for setting parameters, then you don't open yourself up to a SQL injection at any point, prepared statement or not.
Remember, just because a statement is prepared, or because you are using a stored procedure, it doesn't mean that you are safe from injection attacks. It is only when you are using database provider code which will sanitize the input of parameters (as well as applying it to all parameters that can be used) that you gain protection from SQL injection.
我没有听过播客,但根据我的经验,只有准备好的陈述才能带来好处。 它通常可以提高应用程序的性能并防止 SQL 注入(如果使用正确,而不是链接中的第二个示例)。
I haven't listened to the podcast, but in my experience only good comes from prepared statements. It often improves the performance of the application and prevents SQL injection (if used right, not as the second example in your link).