如何防止 order by 子句上的冷融合 SQL 注入
由于 cfqueryparam 不能按 order by 工作,使用 xmlformat 会停止 sql 注入吗?
ORDER BY #xmlformat(myVariable)#
谢谢,
Since cfqueryparam doesn't work in an order by, would using xmlformat stop sql injections?
ORDER BY #xmlformat(myVariable)#
Thanks,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
http://www.petefreitag.com/item/677.cfm
一个好方法解决此限制的方法是使用 ListFindNoCase 函数来限制可排序的列名称,例如:
http://www.petefreitag.com/item/677.cfm
A good way to get around this limitation is to use the ListFindNoCase function, to limit the sortable column names, for example:
这是来自存储过程,但将 @ORDER_BY 值转换为实际的数据库列,并将 @SORT_ORDER 值转换为 SQL 命令。
This is from a stored procedure, but translate an @ORDER_BY value to an actual database column and a @SORT_ORDER value to a SQL command.
XML 格式无法处理所有情况。
列检查很好,但我猜测让用户定义顺序的优点是因为您可以使其比单个列更复杂。例如,您可以添加几列以及升序、降序等...
我建议您创建一个全局可用的函数,该函数可以去除任何不是数字、字母或逗号的字符。如果有人尝试进行 SQL 注入,它就会失败。
XML Format won't handle all cases.
The column check is good, but I'm guessing that the advantage of letting the user define what the order by is, is because you can make it more complex than just a single column. For instance, you could add several columns and an Ascending, Descending etc...
I'd suggest you make a globally available function that strips out any character that isn't a number, letter or comma. If someone did attempt to do a SQL Injection it would just fail.
或
或
等等
, sort)> <cfreturn sort /> <cfelse> <cfreturn default /> </cfif> </cfargument>等等
, myVariable)> ORDER BY #myVariable# </cfif>或
或
等等
, myVariable)> <cfset myVariable = "DefaultSort" /> </cfif> ORDER BY #myVariable#或
等等
, myVariable)> ORDER BY #myVariable# </cfif>或
或
等等
or
or
etc
, sort)> <cfreturn sort /> <cfelse> <cfreturn default /> </cfif> </cfargument>etc
, myVariable)> ORDER BY #myVariable# </cfif>or
or
etc
, myVariable)> <cfset myVariable = "DefaultSort" /> </cfif> ORDER BY #myVariable#or
etc
, myVariable)> ORDER BY #myVariable# </cfif>or
or
etc
另一种选择是对 ListFindNoCase 方法稍加修改。列信息可以存储在结构中。
key
将是公开可见的列名称,value
是真实的列名称。它有点复杂。但我喜欢这样一个事实:它不需要您公开您的架构。正如戴夫提到的,它还支持更多复合语句。Another option is a slight twist on the ListFindNoCase approach. Column information can be stored in a structure. The
key
would be the publicly visible column name and thevalue
is the real column name. It is a little more complex. But I like the fact that it does not require you to expose your schema. It also supports more compound statements as Dave mentioned.