Sql注入 [英] Sql injecting
问题描述
我是网络程序员,但我从来不理解sql注入。
我发现只是你可以写a或者'' A ''= '' A"在密码
字段中尝试连接而不知道密码。
我听说有很多其他的方法可以做sql注入,而我
从未找到过如何。
我知道你甚至可以使用sql来管理从sql表中获取数据
注入。
它怎么能是?怎么会有人这样做?
请帮忙,
Ofir。
我' 'ma web程序员,但我从来不理解sql注入。
SQL Server中SQL注入的最佳防御方法是只执行参数化的SQL语句和存储的
程序。永远不要通过连接值来构建SQL字符串
。如果构建和执行SQL语句
,代码很容易被注入:
sqlStatement =" SELECT MyData FROM dbo.MyTable WHERE MyColumn =''" ; + myValue
+"''";
恶意用户可以通过指定
$ b来更改此SQL语句的意图$ b值如:
''; DROP TABLE dbo.MyTable; -
或
''UNION ALL SELECT密码来自dbo.Users; -
Google" SQL injection"欲了解更多信息。
-
希望这会有所帮助。
Dan Guzman
SQL Server MVP
" ofiras" < of **** @ gmail.comwrote in message
news:99 ************************** ******** @ v4g2000h sf.googlegroups.com ...
Hii everyone,
我是网络程序员,但我从来没有理解sql注入。
我发现所有你可以写a或a='a在密码
字段中尝试连接而不知道密码。
我听说有很多其他的方法可以做sql注入,而我
从未找到过如何。
我知道你甚至可以使用sql来管理从sql表中获取数据
注入。
它怎么能是?怎么会有人这样做?
请帮助,
Ofir。
2007年11月16日星期五13:01:14 GMT,Dan Guzman
< gu ** ****@nospam-online.sbcglobal.net写道:
我同意你的看法,但这不是对LINQ的打击吗?
- Tom。
>我是网络程序员,但我从未理解sql注入。
对SQL Server中SQL注入的最佳防御是仅执行参数化的SQL语句和存储过程。永远不要通过连接值来构建SQL字符串。如果构建和执行SQL语句,则代码很容易被注入:
sqlStatement =" SELECT MyData FROM dbo.MyTable WHERE MyColumn =''" + myValue
+"''";
恶意用户可以通过指定
值来更改此SQL语句的意图:
''; DROP TABLE dbo.MyTable; -
或
''UNION ALL SELECT密码来自dbo.Users; -
谷歌SQL注入欲获得更多信息。
星期五,2007年11月16日01:31:14 -0800(太平洋标准时间),ofiras< of **** @ gmail.com>
写道:
>我是网络程序员,但我从未理解sql注入。
一件值得一读:
http://www.sommarskog.se/dynamic_sql.html#SQL_injection
Roy Harvey
Beacon Falls,CT
Hii everyone,
I''m a web programmer, but I never understood sql injecting.
All I found was that you can write "a'' or ''a''=''a" in the password
field to try to connect without knowing the password.
I heard that there are many other ways to do sql injecting, and I
never found how.
I know that you can even manage to get data from sql tables using sql
injecting.
How can it be? How can someone do it?
Please help,
Ofir.
I''m a web programmer, but I never understood sql injecting.
Your best defense against SQL injection in SQL Server is to execute only
parameterized SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:
sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = ''" + myValue
+ "''";
A malicious user can change the intent of this SQL statement by specifying a
value like:
'';DROP TABLE dbo.MyTable;--
or
'' UNION ALL SELECT Password FROM dbo.Users;--
Google "SQL injection" for more information.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"ofiras" <of****@gmail.comwrote in message
news:99**********************************@v4g2000h sf.googlegroups.com...Hii everyone,
I''m a web programmer, but I never understood sql injecting.
All I found was that you can write "a'' or ''a''=''a" in the password
field to try to connect without knowing the password.
I heard that there are many other ways to do sql injecting, and I
never found how.
I know that you can even manage to get data from sql tables using sql
injecting.
How can it be? How can someone do it?
Please help,
Ofir.
On Fri, 16 Nov 2007 13:01:14 GMT, "Dan Guzman"
<gu******@nospam-online.sbcglobal.netwrote:
I agree with you, but isn''t this a strike against LINQ?
-Tom.
>I''m a web programmer, but I never understood sql injecting.
Your best defense against SQL injection in SQL Server is to execute only
parameterized SQL statements and stored procedures. Never build SQL strings
by concatenating values. Code is vulnerable to injection if SQL statements
are built and executed like:
sqlStatement = "SELECT MyData FROM dbo.MyTable WHERE MyColumn = ''" + myValue
+ "''";
A malicious user can change the intent of this SQL statement by specifying a
value like:
'';DROP TABLE dbo.MyTable;--
or
'' UNION ALL SELECT Password FROM dbo.Users;--
Google "SQL injection" for more information.
On Fri, 16 Nov 2007 01:31:14 -0800 (PST), ofiras <of****@gmail.com>
wrote:
>I''m a web programmer, but I never understood sql injecting.One piece worth reading:
http://www.sommarskog.se/dynamic_sql.html#SQL_injection
Roy Harvey
Beacon Falls, CT
这篇关于Sql注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
