如果在存储过程中写入动态查询会有SQL注入攻击的威胁吗? [英] If write dynamic query inside store procedure will it have threat of SQL Injection attack?
本文介绍了如果在存储过程中写入动态查询会有SQL注入攻击的威胁吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
如果在商店程序中写入动态查询会有SQL注入攻击的威胁吗?
这是两个例子......
If write dynamic query inside store procedure will it have threat of SQL Injection attack?
this are two example...
create procedure Details
(
@Date int,
@CompId int
)
as
begin
declare @a varchar(max);
select @a = @a + ' select VouNo,VouDesc,convert(varchar(100),CAST(' + convert(varchar(100), Amount) + ' AS NUMERIC(18,'+ (select Afterpoint from tbl_setting where CompId = @CompId) + '))) as FormattedAmount from tbl_Trans where vouDate=' + @Date;
exec(@a);
end
Alter procedure VisitorDetails1
@name nvarchar(50),
@City nvarchar(100),
@Dept nvarchar(max),
@TableName nvarchar(50)
as
IF (EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=@TableName))
--IF db_id('@TabName') IS NOT NULL
--IF OBJECT_ID('@TabName','U') is not null
begin
Declare @set nvarchar(50)
set @set='insert into '+@TableName+'(Name,City,Dept) values(''' + @name + ''',''' + @City + ''',''' + @Dept + ''')'
exec(@set)
Print 'Success'
end
else
begin
print 'Table is Not there'
end
我在这些sps中使用了 动态SQL ,...
它是否容易在这些产品上传递SQL注入?如果是,那么如何?
推荐答案
在第二个例子中,如果我使用参数名称参数调用SP,例如
''x'',''y'',''z''); drop table Customer;
tehn你的@set将是类似
插入mytable(name,city,dept)值(''x'',''y'',''z ''); drop table Customer;
这可能不是你想要的。
In yr 2nd example, if I called the SP with parameter name parameter something like
"''x'',''y'',''z''); drop table Customer;"
tehn your @set will be something like
insert into mytable (name, city,dept) values(''x'',''y'',''z''); drop table Customer;
which probably isn''t what you want.
这篇关于如果在存储过程中写入动态查询会有SQL注入攻击的威胁吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文