存储过程的SQL注入 [英] SQL injection on Stored Procedure
本文介绍了存储过程的SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
您好我的部门是QA,如果在调用存储过程时可以使用SQL注入,我不会尝试吗?
这个这不仅对我有利,对我的公司也有很大的帮助。
通常在我们部门调用存储过程时他们使用此代码
Hi I'm a QA on my department and I wan't to try if it's possible to have SQL Injection when calling a stored procedure ?
With this it will be a big help not only for me benefits but to my company.
Usually in our department when calling a stored Procedure they used this code
Dim Sql = "CALL usersaccount ('" & Username.Text &"','" & Password.Text &"');"
我发现他们没有使用参数。
I've observe that they are not using Parameters.
推荐答案
上面的代码就像你对非常简单的攻击所说的那样,
你的想法非常重要,他们必须防止SQL注入!
请参阅如何:在ASP.NET中防止SQL注入 [ ^ ]
请参阅更多信息关于存储过程以及有关SQL注入的注意事项:
- [CopeProject提示]如何防止存储过程中的SQL注入 [ ^ ]
- 存储过程是否可以防止SQL注入? [ ^ ]
- 存储过程是否可以安全地防止SQL注入? [ ^ ]
干杯,
Edo
The code above is as you stated wide open to very simple attacks,
Your thinking is extremely important, they have to protect against SQL Injection!
See How To: Protect From SQL Injection in ASP.NET[^]
See further info about Stored Procedures and the things to notice regarding SQL Injection:
- [CopeProject Tip] How to prevent SQL Injection in Stored Procedures[^]
- Do Stored Procedures Protect Against SQL Injection?[^]
- Are stored procedures safe against SQL injection?[^]
Cheers,
Edo
这篇关于存储过程的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文