这个查询可以进行 SQL 注入吗?
UPDATE `company` SET `itnumber` = '595959' WHERE (id = 932)
因此 itnumber 的值来自该公司的用户输入。我想确保我能够防止任何类型的 sql 注入。因此,用户输入 595959,我在动态查询中将该值构建为“595959”。这个查询中还可能存在sql注入攻击吗?我知道使用prepare语句来防止sql注入,但是prepare语句可能需要我的应用程序进行大量的开发工作,所以我正在寻找耗时更少且更简单的方法来修复大多数可能注入的sql语句。
StringBuffer sb = new StringBuffer();
sb.append(" UPDATE ");
sb.append(DB.quote(table));
sb.append(" SET ");
/* logic if column value has changed */
/* if yes */
sb.append(DB.quote(column.name));
sb.append(" = ");
sb.append(column.getSQLvalue());
sb.append(" WHERE (id = ");
sb.append(columns[0].getSQLvalue());
sb.append(")");
execute(sb.toString());
UPDATE `company` SET `itnumber` = '595959' WHERE (id = 932)
So the value of itnumber is coming from user input for that company. I want to make sure I am able to prevent any kind of sql injection. So user inputs 595959 and I build that value as '595959' in the dynamic query. Is it still possible to have sql injection attack in this query? I am aware of using prepare statement to use to prevent sql injection, but prepare statement might take a lot of development efforts for my application, so I am looking for less time consuming and easier approach to fix most of my sql statements where injection is possible.
StringBuffer sb = new StringBuffer();
sb.append(" UPDATE ");
sb.append(DB.quote(table));
sb.append(" SET ");
/* logic if column value has changed */
/* if yes */
sb.append(DB.quote(column.name));
sb.append(" = ");
sb.append(column.getSQLvalue());
sb.append(" WHERE (id = ");
sb.append(columns[0].getSQLvalue());
sb.append(")");
execute(sb.toString());
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您只是将输入连接到 SQL 字符串而不进行任何清理(并且简单地用单引号
'
包围它并不能使其干净),那么是的,它很容易受到 SQL 注入的攻击。请发布构建此 SQL 的代码以获得明确的答案。
更新:
由于您使用的是 Oracle SQL 库中的 getSQLvalue(),这将确保传入的值正确转义。这确实可以避免 SQL 注入,但是它要求您记住在每个地方都使用它。但是,使用参数可以确保相同的效果,并且不会有忘记转义 SQL 值的风险。
If you are simply concatenating the input into a SQL string without doing any cleanups (and simply surrounding it with single quotes
'
doesn not make it clean), then yes, it is vulnerable to SQL injection.Please post the code that constructs this SQL for a definitive answer.
Update:
Since you are using
getSQLvalue()
from the Oracle SQL library, this would ensure that the value passed in is escaped correctly. This is indeed safe from SQL injection, however it requires you to remember to use it in every place. Using parameters would ensure the same, however, without the risk of forgetting to escape your SQL values.是的。例如:
可能会起作用。
Yes, it is. For example:
Would probably work.
您会惊讶地发现,从一开始就以
正确
的方式实施解决方案所花费的时间会少得多。另外,为什么这比连接查询字符串更复杂?另外,它的一个优点是大多数现代驱动程序都会缓存准备好的语句的执行计划,因此这将加快其他查询的速度。
You would be surprised how much less time consuming it is to implement solution the
right
way from the start. Plus how come this is more complex than concatenating query string?Plus, it has an advantage that most modern drivers will cache the execution plan of the prepared statement, thus this will speed up other queries.
实际上,最安全的做法是为此创建一个存储过程,那么您的数据类型至少可以保护您一点。
这样如果如果; DROP TABLE 公司; --' WHERE (id = 932) 传递到 @Company_Id 它将失败,因为数据类型不匹配。
如果您尝试确定要更新哪些列,并且仅当它们发生更改时,您可以考虑执行 MERGE 而不是 UPDATE 语句。通过这种方式,您可以提取记录的当前状态,并且仅在它们不相同时才进行更新。
Really the safest thing to do is create a stored proc for this, then your datatypes at least protect you a little.
At this way if if ; DROP TABLE company; --' WHERE (id = 932) is passed into @Company_Id it will fail as the datatype is a miss match.
If you're trying to determine which columns to update and only if they've changed you could look into doing a MERGE instead of an UPDATE statement. This way you can pull the current state of a record and only update if they arne't the same.