如何保护 Amazon SimpleDB 免遭 SQL 注入?
根据“如果它走起来像鸭子,听起来也像鸭子”的原则,亚马逊 SimpleDB 支持的 SQL 风格的查询肯定容易受到 SQL 注入类型的攻击。这是一个简单的示例,假设攻击者的输入进入变量 $category,并且他可以猜测列名称:
$category = "Clothes' OR Category LIKE '%";
$results = $sdb->select("SELECT * FROM `{$domain}` WHERE Category = '$category'");
如果您正在玩主场游戏,这些行可以就地替换文件中的第 119 行Amazon PHP SDK (1.2) 中示例代码中的 html-sdb_create_domain_data.php 。
亚马逊发布了 引用规则,我想我可以写确保用户输入中的任何“或”都会加倍......但我一直明白,转义基本上是一场军备竞赛,这使得参数化成为我在使用 MySQL 等时选择的武器。
其他人是什么用于保护 SimpleDB 查询?
Under the principle of "if it walks like a duck and it sounds like a duck," it sure seems like the SQL-flavored queries that Amazon's SimpleDB supports should be susceptible to SQL injection-type attacks. Here's a simple example that assumes the attacker's input is going into the variable $category, and that he can guess a column name:
$category = "Clothes' OR Category LIKE '%";
$results = $sdb->select("SELECT * FROM `{$domain}` WHERE Category = '$category'");
If you're playing the home game, these lines can be an in-place replacement for line 119 in the file html-sdb_create_domain_data.php in the sample code in Amazon's PHP SDK (1.2).
Amazon publishes quoting rules, and I suppose I could write something that ensures that any " or ' in user input gets doubled up... but I've always understood that escaping is basically an arms race, which makes parametrization my weapon of choice when using, for example, MySQL.
What are other people using to defend SimpleDB queries?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
SimpleDB Select 操作是非破坏性的,因此唯一需要防止的是向攻击者发送额外的查询数据。
使用 SimpleDB 来清理用户对查询的输入的解决方案非常简单,因为不允许使用子选择和复合语句。所以这并不是真正的军备竞赛;而是一场军备竞赛。如果输入中一个或多个引号字符的序列长度为奇数,则必须对其进行转义。
The SimpleDB Select operation is non destructive, so the only thing to protect against is extra query data going out to the attacker.
The solution to sanitize user input to the query is pretty easy with SimpleDB since sub-selects and compound statements are not allowed. So it's not really an arms race; sequences of one or more quote characters in the input must be escaped if the length of the sequence is odd.