Sql Server注入 [英] Sql Server injection

问题描述

任何人用明确的例子解释sql注入。



问候，

Gopi

Hi,

anyone explain the sql injection with clear example.

Regards,
Gopi

推荐答案

SQL注入攻击和一些关于如何防范它们的技巧 [ ^ ]

http://technet.microsoft.com/en-us/library/ms161953(v=sql。 105）.aspx [ ^ ]

http://www.w3schools.com/sql /sql_injection.asp [ ^ ]



SQL_injection - 示例 [ ^ ]



-KR

SQL Injection Attacks and Some Tips on How to Prevent Them[^]
http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx[^]
http://www.w3schools.com/sql/sql_injection.asp[^]

SQL_injection - Examples[^]

-KR

假设您正在构建一个销售音乐的Web应用程序。您有一个名为相册的数据库表，以及一个允许用户浏览这些相册的网页。您可能在页面中填充了以下查询中的数据：



SELECT Title，Year，AlbumName，CoverArtURL FROM Albums



到目前为止很棒。现在如果您希望用户能够搜索该怎么办？好的，所以你添加一个搜索框，当他们提交它时，你拿它们提交的值，把它放在一个名为 UserSearchValue 的变量中，用你的代码构造你的查询看起来像这样：

Let's say you are building a web application that sells music. You have a database table called Albums, and a web page that lets the user browse those albums. You might have a page populated with data from a query like this:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums

Great so far. Now what if you want the user to be able to search? Okay, so you add a search box, and when they submit it, you take the value they submitted, put it in a variable called UserSearchValue, and construct your query with code that looks something like this:

query = "SELECT Title, Year, AlbumName, CoverArtURL FROM Albums"
if (UserSearchValue.Length > 0)
    query += " WHERE Title LIKE '%" + UserSearchValue + "%'"
// ... submit query

所以如果用户输入Greatest Hits，您将收到以下查询：

So if the user puts in "Greatest Hits", you will get this query:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums<br />
WHERE Title LIKE '%Greatest Hits%'

还是那么好。



但是，如果用户做了意想不到的事情呢？如果用户输入此搜索字符串该怎么办：

'; DROP TABLE相册; -



现在生成的查询是什么您的应用程序是否正在提交到数据库服务器？它将如下所示：

Still so far so good.

But what if the user does something unexpected? What if the user enters this search string:
"'; DROP TABLE Albums; --"

Now what is the resulting query that your application is submitting to the database server? It will look like this:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums<br />
WHERE Title LIKE '%'; DROP TABLE Albums; --%'

用户设法在查询中添加整个查询，告诉服务器放弃专辑表，只需完成原始查询，插入（或注入）额外代码，然后注释掉下面的所有内容。这真是一场灾难！这就是所谓的SQL注入，即用户可以在服务器上执行自己的代码的技术。我希望用户能够让服务器做任何他们想做的事情的危险非常明显。这完全违反了系统安全性和完整性。一个聪明的人可以通过你创建的用户界面摧毁一切！这就是为什么你会一次又一次地听到必须使用参数化查询和清理输入等技术，而不是让用户提交的文本直接成为SQL查询的一部分。

The user has managed to add an entire query to your query, telling your server to drop the Albums table, just by finishing off the original query, inserting (or "injecting") extra code, then commenting out everything following. This is quite a disaster! This is what is known as "SQL injection", the technique whereby a user can cause his own code to be executed on your server. I would hope that the dangers of users being able to make your server do whatever they want are pretty obvious. It is a complete breach of system security and integrity. One clever person can destroy everything, through the user interface that you created! This is why you will hear repeated again and again that you must use techniques such as parameterized queries and cleansing of input rather than ever letting user-submitted text directly become a part of your SQL queries.

这篇关于Sql Server注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！