使用动态SQL ALTER USER查询进行SQL注入预防 [英] SQL Injection prevention with dynamic SQL ALTER USER query

问题描述

这是防止在动态sql更改用户查询中注入sql的好方法:

Is this good way to prevent sql injection in dynamic sql alter user query:

BEGIN
    z_ident :=  DBMS_ASSERT.ENQUOTE_NAME(ident);    
    z_pass := DBMS_ASSERT.ENQUOTE_NAME(password); 
    z_sql := 'alter user ' || z_ident || ' identified by ' || z_pass;
    EXECUTE IMMEDIATE z_sql;
END;

因为，有时您具有生成带有"字符的随机密码的功能，并且在执行此操作时可以这样做:

Because, sometimes you have function to generate random password with " character, and when you do:

SELECT DBMS_ASSERT.ENQUOTE_NAME('"asd') FROM DUAL;

您会收到ORA-06512/ORA-06502异常.

You get an ORA-06512 / ORA-06502 exception.

推荐答案

您不应尝试仅在数据库级别阻止SQL注入.一旦到达那里，他们基本上已经到达了您.您应该使用参数，掩盖输入并删除上面图层中已经存在的错误字符.诸如实体框架之类的工具(框架?)会自动删除危险字符.

You shouldn't try to prevent SQL injection only on database level. Once they got there, they mostly already got you. You should use parameters, mask input and remove bad characters already in the layer above. Tools(Frameworks?) like Entity Framework automatically remove dangerous characters.

在这里使用DBMS_ASSERT.ENQUOTE_NAME效果很好，但我建议在以上各层中也这样做.

Using DBMS_ASSERT.ENQUOTE_NAME is doing very well here, but I'd recommend doing this as well in the layers above.

一般规则(请遵循此处): 使用已建立和证明的安全机制，不要重蹈覆辙！

General rule (that you follow here): Use security mechanisms that are established and proven, don't reinvent them!

此外，类似

select * from users where username = 'IAm"WayUp';

绝对合法，没有危险.

您如何在数据库中调用函数/过程?你在那里也很脆弱，不是吗?

And how do you call the function/procedure in the DB? You're vulverable there as well, aren't you?.

这篇关于使用动态SQL ALTER USER查询进行SQL注入预防的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！