是否可以使用存储过程进行sql注入? [英] Is it possible to do sql injection with stored procedures?

问题描述

我看到了类似的问题，没有关于mysql的问题...
有什么方法可以将SQL注入SP中吗? 如何在SP级别上防止这种情况?
换句话说，可以通过传入参数以任何方式修改SP内部的查询结构吗?
如果我向存储过程发送参数"1; DELETE FROM users;-" 查询是:

I saw some similar question, none about mysql...
Is there any way to do a sql injection into a SP? How do I protect from this on the SP level?
In other words, can the Query strucutre, inside a SP can be modified in any way by an incoming parameter?
If I send to a stored procedure the parameter "1;DELETE FROM users;--" and the query is:

select *
from T
where = @p

推荐答案

SQL注入基本上是在查询中添加额外的代码.发生攻击本身是因为服务器将输入数据解析为SQL代码并相应地执行它.您无法在SP级别上对此加以保护，因为当执行到该过程时，攻击已经成功.

SQL injection is, basically, adding extra code to the query. The attack itself occurs because the server parses the input data as SQL code and executes it accordingly. You cannot protect from it on the SP level, because when the execution gets to the procedure, the attack has already succeeded.

只要您将查询构造为文本，无论查询的文本是什么，都可以进行SQL注入.而且，如果您没有这样做，或者如果您正确地清理了输入内容，那么无论是SELECT还是其他内容，SQL注入都不应该成为问题.

So as long as you construct your queries as text, SQL injection is possible regardless of what the text of the query is. And if you don't, or if you properly sanitize your input, then again, SQL injection shouldn't be a problem, whether it's SELECT or something else.

这篇关于是否可以使用存储过程进行sql注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！