哪里可以找到 PL/SQL 注入检查库/代码
我想知道是否有人知道接受 PL/SQL 字符串并在存在任何 PL/SQL 注入时出现错误的库或代码。互联网上的大多数开源项目都是用 PHP 创建的。
I would like to know whether anyone knows about a library or code that will accept a PL/SQL string and thow error if there is any PL/SQL injection. Most of the open source projects in the internet are created in PHP.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要使用参数,例如
然后将
:param和:id分配为从不受信任的来源获取的值(表单值、url 参数、cookie、 ...)这也提高了性能,并且您不需要解析任何内容来确定它是否是注入。 (此类方法可能存在您看不到的微妙错误,但攻击者会使用。我的意思是您无法验证每种可能的攻击,包括您尚未想到的攻击,都会被阻止通过注入检测逻辑。)
You need to use parameters, for example
And then assign
:paramand:idto be the value that you get from the untrusted source (form value, url params, cookie, ...)This also improves performance, and you don't need to parse anything to determine if it's injection or not. (Such approaches might have subtle bugs that you don't see, but the attaker will use. I mean you cannot verify that every possible attack, including those you haven't thought of yet, will be stopped by an injection-detection logic.)
假设您有充分的理由使用动态 SQL 和 在语句中嵌入字符串而不是使用绑定变量,Oracle 有一个用于此目的的内置库。它称为
dbms_assert。请参阅http://docs.oracle.com/cd/E11882_01/ appdev.112/e40758/d_assert.htm 有关此包的完整详细信息。
Assuming you have a very good reason to use both dynamic SQL and to embed strings in your statements rather than use bind variables, Oracle has a built-in library for this purpose. It's called
dbms_assert.See http://docs.oracle.com/cd/E11882_01/appdev.112/e40758/d_assert.htm for full details on this package.