糟糕的代码:为什么这很危险?
String badInput = rawInput.replace("'","''");
ResultSet rs = statement.executeQuery("SELECT * FROM records WHERE col1 = '"+badInput+"'";
有没有办法做一个“Bobby表”对这段代码的类似攻击?
Possible Duplicate:
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
String badInput = rawInput.replace("'","''");
ResultSet rs = statement.executeQuery("SELECT * FROM records WHERE col1 = '"+badInput+"'";
Is there any way to do a "Bobby Tables"-like attack on this code?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
根据所有解释命令的过程中的不同步骤,可能有可能传递
%27(例如)并将其充当单引号,在替换时不被注意地传递。但即使可以涵盖所有此类情况,并且对于这一单一问题实际上是安全的,但其不足之处在于无法统一实施。其他人可能会想添加
AND int1 = var1,并注意到您已经考虑过 SQL 注入,因此他们只是以与您完全相同的方式修改代码......仅使用整数它不再是您想要保护自己免受的报价!在这里,很明显任何事情都可能出错。因此,虽然这是一个需要有人实施得不好的问题,但我认为这是设计的最大问题——它只涵盖了一小部分情况。
能够只说“以下是一个变量。无论它包含什么,都将其视为一个值,并且不要尝试将其部分用作代码并执行该代码”,这总是更好。
Depending on the different steps along the way that all have to interpret the command, there may be some possibility to pass
%27(for instance) and have it act as a single quote, passing unnoticed through your replace.But even if all such cases could be covered, and it was actually safe for this single question, it is lacking in that it cannot be uniformely implemented. Somebody else may come along and want to add
AND int1 = var1, and notices that you have thought about SQL injection, so they just modify the code in the exact manner that you have...only with integers it is no longer quotes you want to protect yourself from! Here, it is plain to see that anything could go wrong. So while that's a problem that requires somebody to implement it poorly, I think it's the biggest problem of the design - it only covers a narrow set of cases.
It will always be better to be able to just say "the following is a variable. whatever it contains, treat it as a value, and do not try to use parts of it as code and execute that code."
在 MySQL 中,如果 NO_BACKSLASH_ESCAPES 选项没有设置我相信这是可以做到的。
或者类似的东西。您的代码将使
'加倍。第一个'将通过反斜杠转义,第二个将关闭允许 SQL 注入的字符串。为了安全起见,我通常更喜欢坚持准备好的陈述。
In MySQL if the NO_BACKSLASH_ESCAPES option is not set I believe it is possible to do.
Or something similar. Your code will double the
'. The first'will be escaped by the backslash and the second will close the string allowing SQL injection.I usually prefer to stick to prepared statements to be on the safe side.
我最近向我兄弟介绍了准备语句。在他当前的项目中实现它后,他发现
为什么有人不使用prepare?
I recently introduced my brother to the prepare statement. Having implemented it on his current project, he found
Why would anybody not use prepare?
您可以尝试:
如果您的转义字符恰好设置为
'\'。You might try:
in case your escape character happens to be set to
'\'.或许。取决于
replace方法实际执行的操作,尤其是当它遇到 unicode 代理对或组合标记时 - 以及类似的数据库访问技术如何处理此类对。如果replace在字符级别工作,那么如果攻击者向您提供有效的高位代理,后跟单引号字符,您可能会用一对单引号替换该单引号 - 在效果,在稍后可能通过编码并被解释为无效代理对的内容后面附加单引号,留下裸露的单引号字符。或许。
您是否足够了解该替换方法的 unicode 特征以及您的代码与数据库连接另一端的 SQL 执行引擎之间的每个中间字符串处理库?
你觉得幸运吗?
使用参数化查询。
Maybe. Depends on what that
replacemethod actually does, especially when it encounters unicode surrogate pairs or combining marks - and similarly how such pairs are handled by your database access technology. Ifreplaceworks at a char level, then if an attacker supplies you with a valid high surrogate followed by a single-quote character, you might be substituting that single quote with a pair of single-quotes - in effect, appending a single quote after something that -might- later pass through an encoding and be interpreted as an invalid surrogate pair, leaving a naked single quote character.Maybe.
Do you know enough about the unicode characteristics of that replace method and every intervening string handling library between your code and the SQL execution engine at the other end of the DB connection?
Are you feeling lucky?
Use a parameterized query.
我不是安全专家,但
char()不会有效绕过您的安全措施吗?例如:从记录表中获取所有内容
例 2:将信息写入不带单引号的文件
来源:SQL注射备忘单
I'm not a security expert but won't
char()effectively bypass your safety measures?Eg: Getting everything from the records table
Eg 2: Writing info into files without single quotes
Source here: SQL Injection Cheat Sheet
因为只需要有一个黑客发明一种我们今天无法想象的方法来绕过替代品。 (访问数据库的一层中的一个小错误???)
Because there only has to be one hacker that invents a way to bypass the ' replacements on a way that we cannot think of today. (A small bug in one of the layers to access the database???)
这很容易并且总是会引发注入攻击。
That is prone and always inviting for an injection attack.