如何保护 Amazon SimpleDB 免受 SQL 注入? [英] How can I protect Amazon SimpleDB from SQL Injection?
问题描述
在如果它像鸭子一样走路,听起来像鸭子"的原则下,似乎亚马逊的 SimpleDB 支持的 SQL 风格的查询应该容易受到 SQL 注入类型的攻击.这是一个简单的例子,假设攻击者的输入进入变量 $category,并且他可以猜测列名:
Under the principle of "if it walks like a duck and it sounds like a duck," it sure seems like the SQL-flavored queries that Amazon's SimpleDB supports should be susceptible to SQL injection-type attacks. Here's a simple example that assumes the attacker's input is going into the variable $category, and that he can guess a column name:
$category = "Clothes' OR Category LIKE '%";
$results = $sdb->select("SELECT * FROM `{$domain}` WHERE Category = '$category'");
如果您正在玩家庭游戏,这些行可以就地替换亚马逊 PHP SDK (1.2) 示例代码中文件 html-sdb_create_domain_data.php 中的第 119 行.
If you're playing the home game, these lines can be an in-place replacement for line 119 in the file html-sdb_create_domain_data.php in the sample code in Amazon's PHP SDK (1.2).
亚马逊发布了引用规则,我想我可以写一些东西来确保用户输入中的任何 " 或 ' 被加倍......但我一直明白转义基本上是一场军备竞赛,这使得参数化成为我在使用例如 MySQL 时的首选武器.
Amazon publishes quoting rules, and I suppose I could write something that ensures that any " or ' in user input gets doubled up... but I've always understood that escaping is basically an arms race, which makes parametrization my weapon of choice when using, for example, MySQL.
其他人用什么来保护 SimpleDB 查询?
What are other people using to defend SimpleDB queries?
推荐答案
SimpleDB Select 操作是非破坏性的,因此唯一需要防止的是额外的查询数据传给攻击者.
The SimpleDB Select operation is non destructive, so the only thing to protect against is extra query data going out to the attacker.
使用 SimpleDB 清理用户对查询的输入的解决方案非常简单,因为不允许使用子选择和复合语句.所以这并不是真正的军备竞赛;如果序列的长度是奇数,则必须对输入中的一个或多个引号字符的序列进行转义.
The solution to sanitize user input to the query is pretty easy with SimpleDB since sub-selects and compound statements are not allowed. So it's not really an arms race; sequences of one or more quote characters in the input must be escaped if the length of the sequence is odd.
这篇关于如何保护 Amazon SimpleDB 免受 SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
