防止附加SQL Injection SP. [英] Prevent SQL Injection SP attached.
问题描述
大家好,
我对此很陌生,但我的登录系统仍允许SQL注入.我可以输入用户名"a" ="a",并输入相同的密码,然后它将登录.我想知道存储过程是否有问题.感谢您的建议.
Hi all,
I''m pretty new to this but my login system is still allowing SQL Injection. I can type in the user name ''a''=''a'' and same for the password and it''ll log me in. I was wondering if something is wrong with my stored procedure. Thanks for the advice.
CREATE PROCEDURE Admin_Login ( IN p_username VARCHAR(20),
IN p_password VARCHAR(20),
OUT p_auth CHAR(1))
Language SQL
------------------------------------------------------------------------
-- SQL Stored Procedure
------------------------------------------------------------------------
P1: BEGIN
DECLARE v_username VARCHAR(20);
DECLARE v_password VARCHAR(20);
DECLARE v_auth CHAR(1) DEFAULT '0';
SELECT ADMIN_EMAIL,
ADMIN_PASSWORD
INTO v_username,
v_password
FROM ADMIN
WHERE ADMIN_EMAIL = p_username
AND ADMIN_PASSWORD = p_password;
IF v_username = p_username AND v_password = p_password THEN
SET p_auth = '1';
ELSE
SET p_auth = '0';
END IF;
END P1
推荐答案
首先,为什么不简单地检查用户是否存在使用 EXISTS [
First of all, why not simply checking if a user exists with the current username and password using the EXISTS[^] function?
IF EXISTS(SELECT ADMIN_EMAIL, ADMIN_PASSWORD FROM ADMIN WHERE ADMIN_EMAIL = p_username AND ADMIN_PASSWORD = p_password)
BEGIN
-- User exists
END
ELSE
BEGIN
-- User not found
END
打电话给每个用户ADMIN似乎有点奇怪...
无论如何,这仅在您存储未加密密码的情况下才有效!那绝不是一个好主意……尤其是当您知道自己容易受到SQL注入的攻击时! (提醒我不要在您编写的任何软件上创建帐户...).
这是一篇有关加密密码的好文章: The Art&存储密码的科学 [ ^ ]
除了SQL,您没有在帖子中指定任何语言.但是我认为您可以从本文中学到很多东西,而且大多数人都可以阅读C#,所以我认为您可以进行管理.
希望对您有所帮助.
Calling every user ADMIN seems kind of weird by the way...
Anyway, this would only work if you store passwords unencrypted! And that''s never a good idea... Especially when you know you''re vulnerable to SQL Injection! (Remind me never to create an account on any software you''ve written...).
Here''s a good article about encrypting passwords: The Art & Science of Storing Passwords[^]
You didn''t specify any languages in your post, except SQL. But I think you can learn a lot from this article and most people are able to read C#, so I think you''ll manage.
Hope it helps.
这篇关于防止附加SQL Injection SP.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!