防止附加SQL Injection SP. [英] Prevent SQL Injection SP attached.

问题描述

大家好，

我对此很陌生，但我的登录系统仍允许SQL注入.我可以输入用户名"a" ="a"，并输入相同的密码，然后它将登录.我想知道存储过程是否有问题.感谢您的建议.

Hi all,

I''m pretty new to this but my login system is still allowing SQL Injection. I can type in the user name ''a''=''a'' and same for the password and it''ll log me in. I was wondering if something is wrong with my stored procedure. Thanks for the advice.

CREATE PROCEDURE Admin_Login (	IN	p_username	VARCHAR(20),
				IN	p_password	VARCHAR(20),
				OUT	p_auth		CHAR(1))

Language SQL

------------------------------------------------------------------------
-- SQL Stored Procedure 
------------------------------------------------------------------------
P1: BEGIN

DECLARE	v_username	VARCHAR(20);
DECLARE v_password	VARCHAR(20);
DECLARE v_auth		CHAR(1) DEFAULT '0';

SELECT 	ADMIN_EMAIL,
	ADMIN_PASSWORD
INTO 	v_username,
	v_password
FROM	ADMIN
WHERE	ADMIN_EMAIL = p_username
AND	ADMIN_PASSWORD = p_password;

IF	v_username = p_username AND v_password = p_password THEN
	SET	p_auth = '1';
ELSE
	SET	p_auth = '0';
END IF;

END P1

推荐答案

首先，为什么不简单地检查用户是否存在使用 EXISTS [

First of all, why not simply checking if a user exists with the current username and password using the EXISTS[^] function?

IF EXISTS(SELECT ADMIN_EMAIL, ADMIN_PASSWORD FROM ADMIN WHERE ADMIN_EMAIL = p_username AND ADMIN_PASSWORD = p_password)
BEGIN
   -- User exists
END
ELSE
BEGIN
   -- User not found
END

打电话给每个用户ADMIN似乎有点奇怪...
无论如何，这仅在您存储未加密密码的情况下才有效！那绝不是一个好主意……尤其是当您知道自己容易受到SQL注入的攻击时！ (提醒我不要在您编写的任何软件上创建帐户...).
这是一篇有关加密密码的好文章: The Art&存储密码的科学 [ ^ ]
除了SQL，您没有在帖子中指定任何语言.但是我认为您可以从本文中学到很多东西，而且大多数人都可以阅读C#，所以我认为您可以进行管理.
希望对您有所帮助.

Calling every user ADMIN seems kind of weird by the way...
Anyway, this would only work if you store passwords unencrypted! And that''s never a good idea... Especially when you know you''re vulnerable to SQL Injection! (Remind me never to create an account on any software you''ve written...).
Here''s a good article about encrypting passwords: The Art & Science of Storing Passwords[^]
You didn''t specify any languages in your post, except SQL. But I think you can learn a lot from this article and most people are able to read C#, so I think you''ll manage.
Hope it helps.

这篇关于防止附加SQL Injection SP.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！