存储过程的SQL注入 [英] SQL injection on Stored Procedure

问题描述

您好我的部门是QA，如果在调用存储过程时可以使用SQL注入，我不会尝试吗？



这个这不仅对我有利，对我的公司也有很大的帮助。



通常在我们部门调用存储过程时他们使用此代码

Hi I'm a QA on my department and I wan't to try if it's possible to have SQL Injection when calling a stored procedure ?

With this it will be a big help not only for me benefits but to my company.

Usually in our department when calling a stored Procedure they used this code

Dim Sql = "CALL usersaccount ('" & Username.Text &"','" & Password.Text &"');"

我发现他们没有使用参数。

I've observe that they are not using Parameters.

推荐答案

上面的代码就像你对非常简单的攻击所说的那样，

你的想法非常重要，他们必须防止SQL注入！



请参阅如何：在ASP.NET中防止SQL注入 [ ^ ]



请参阅更多信息关于存储过程以及有关SQL注入的注意事项：

- [CopeProject提示]如何防止存储过程中的SQL注入 [ ^ ]

- 存储过程是否可以防止SQL注入？ [ ^ ]

- 存储过程是否可以安全地防止SQL注入？ [ ^ ]



干杯，

Edo

The code above is as you stated wide open to very simple attacks,
Your thinking is extremely important, they have to protect against SQL Injection!

See How To: Protect From SQL Injection in ASP.NET[^]

See further info about Stored Procedures and the things to notice regarding SQL Injection:
- [CopeProject Tip] How to prevent SQL Injection in Stored Procedures[^]
- Do Stored Procedures Protect Against SQL Injection?[^]
- Are stored procedures safe against SQL injection?[^]

Cheers,
Edo

这篇关于存储过程的SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！