这个查询可以进行 SQL 注入吗?

发布于 2024-10-19 12:23:45 字数 664 浏览 4 评论 0原文

UPDATE `company` SET `itnumber` = '595959' WHERE (id = 932) 

因此 itnumber 的值来自该公司的用户输入。我想确保我能够防止任何类型的 sql 注入。因此,用户输入 595959,我在动态查询中将该值构建为“595959”。这个查询中还可能存在sql注入攻击吗?我知道使用prepare语句来防止sql注入,但是prepare语句可能需要我的应用程序进行大量的开发工作,所以我正在寻找耗时更少且更简单的方法来修复大多数可能注入的sql语句。

StringBuffer sb = new StringBuffer();
sb.append(" UPDATE ");
sb.append(DB.quote(table));
sb.append(" SET ");
/* logic if column value has changed */
/* if yes */
sb.append(DB.quote(column.name));
sb.append(" = ");
sb.append(column.getSQLvalue());
sb.append(" WHERE (id = ");
sb.append(columns[0].getSQLvalue());
sb.append(")");
execute(sb.toString());
UPDATE `company` SET `itnumber` = '595959' WHERE (id = 932) 

So the value of itnumber is coming from user input for that company. I want to make sure I am able to prevent any kind of sql injection. So user inputs 595959 and I build that value as '595959' in the dynamic query. Is it still possible to have sql injection attack in this query? I am aware of using prepare statement to use to prevent sql injection, but prepare statement might take a lot of development efforts for my application, so I am looking for less time consuming and easier approach to fix most of my sql statements where injection is possible.

StringBuffer sb = new StringBuffer();
sb.append(" UPDATE ");
sb.append(DB.quote(table));
sb.append(" SET ");
/* logic if column value has changed */
/* if yes */
sb.append(DB.quote(column.name));
sb.append(" = ");
sb.append(column.getSQLvalue());
sb.append(" WHERE (id = ");
sb.append(columns[0].getSQLvalue());
sb.append(")");
execute(sb.toString());

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

桃气十足 2024-10-26 12:23:45

如果您只是将输入连接到 SQL 字符串而不进行任何清理(并且简单地用单引号 ' 包围它并不能使其干净),那么是的,它很容易受到 SQL 注入的攻击。

请发布构建此 SQL 的代码以获得明确的答案。


更新:

由于您使用的是 Oracle SQL 库中的 getSQLvalue(),这将确保传入的值正确转义。这确实可以避免 SQL 注入,但是它要求您记住在每个地方都使用它。但是,使用参数可以确保相同的效果,并且不会有忘记转义 SQL 值的风险。

If you are simply concatenating the input into a SQL string without doing any cleanups (and simply surrounding it with single quotes ' doesn not make it clean), then yes, it is vulnerable to SQL injection.

Please post the code that constructs this SQL for a definitive answer.


Update:

Since you are using getSQLvalue() from the Oracle SQL library, this would ensure that the value passed in is escaped correctly. This is indeed safe from SQL injection, however it requires you to remember to use it in every place. Using parameters would ensure the same, however, without the risk of forgetting to escape your SQL values.

等数载,海棠开 2024-10-26 12:23:45

是的。例如:

UPDATE `company`
SET `itnumber` = '595959'; DROP TABLE company; --' WHERE (id = 932)

可能会起作用。

Yes, it is. For example:

UPDATE `company`
SET `itnumber` = '595959'; DROP TABLE company; --' WHERE (id = 932)

Would probably work.

情定在深秋 2024-10-26 12:23:45

我知道使用准备语句
用于防止sql注入,但是
准备声明可能需要很多时间
为我的发展努力
应用程序,所以我正在寻找更少的
耗时且更容易的方法
修复我的大部分 sql 语句
可以进行注射。

您会惊讶地发现,从一开始就以正确的方式实施解决方案所花费的时间会少得多。另外,为什么这比连接查询字符串更复杂?

PreparedStatement pstmt = con.prepareStatement(
       "UPDATE `company` SET `itnumber` = ? WHERE (id = ?)"
   );
pstmt.setString(1, "595959");
pstmt.setInt(2, 932);

另外,它的一个优点是大多数现代驱动程序都会缓存准备好的语句的执行计划,因此这将加快其他查询的速度。

I am aware of using prepare statement
to use to prevent sql injection, but
prepare statement might take a lot of
development efforts for my
application, so I am looking for less
time consuming and easier approach to
fix most of my sql statements where
injection is possible.

You would be surprised how much less time consuming it is to implement solution the right way from the start. Plus how come this is more complex than concatenating query string?

PreparedStatement pstmt = con.prepareStatement(
       "UPDATE `company` SET `itnumber` = ? WHERE (id = ?)"
   );
pstmt.setString(1, "595959");
pstmt.setInt(2, 932);

Plus, it has an advantage that most modern drivers will cache the execution plan of the prepared statement, thus this will speed up other queries.

初心未许 2024-10-26 12:23:45

实际上,最安全的做法是为此创建一个存储过程,那么您的数据类型至少可以保护您一点。

CREATE PROC usp_Update_itnumber_by_Company_Id

@itnumber int
, @Company_Id int

as

BEGIN TRAN    
UPDATE [Company]
SET itnumber = @itnumber
WHERE id = @Company_Id;

COMMIT TRAN 

这样如果如果; DROP TABLE 公司; --' WHERE (id = 932) 传递到 @Company_Id 它将失败,因为数据类型不匹配。

如果您尝试确定要更新哪些列,并且仅当它们发生更改时,您可以考虑执行 MERGE 而不是 UPDATE 语句。通过这种方式,您可以提取记录的当前状态,并且仅在它们不相同时才进行更新。

Really the safest thing to do is create a stored proc for this, then your datatypes at least protect you a little.

CREATE PROC usp_Update_itnumber_by_Company_Id

@itnumber int
, @Company_Id int

as

BEGIN TRAN    
UPDATE [Company]
SET itnumber = @itnumber
WHERE id = @Company_Id;

COMMIT TRAN 

At this way if if ; DROP TABLE company; --' WHERE (id = 932) is passed into @Company_Id it will fail as the datatype is a miss match.

If you're trying to determine which columns to update and only if they've changed you could look into doing a MERGE instead of an UPDATE statement. This way you can pull the current state of a record and only update if they arne't the same.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文