knex.where容易受到SQL注入攻击吗? [英] Is knex.where prone to sql injection attacks?

问题描述

这是 https://stackoverflow.com/a/50337990/1370984 的跟进问题. >

它提到knex('table').where('description', 'like', '%${term}%')很容易受到sql注入攻击.甚至有评论提到第一种情况很容易发生注入攻击.但是提供的参考资料从未提及.where容易受到注入攻击.

这是一个错误吗?为什么knex允许.where容易受到注入攻击，而不允许.whereRaw('description like \'%??%\'', [term]).两种情况下参数都没有被参数化吗?

解决方案

这是 https://stackoverflow.com/a/50337990/1370984 的跟进问题. >

它提到knex('table').where('description'，'like'，'％$ {term}％')很容易受到sql注入攻击.甚至有评论提到第一种情况很容易发生注入攻击.但是提供的参考文献中从未提及容易受到注入攻击的地方.

我是knex的维护者，我在那发表了评论

knex('table').where('description', 'like', `%${term}%`)

不会受到SQL注入攻击的攻击.<​​/p>

这是一个错误吗?为什么knex允许.where容易受到注入攻击，却不允许.whereRaw('description like \'％??％\''，[term]).两种情况下参数都没有被参数化吗?

当您直接将值插值到sql字符串时(例如??标识符替换确实如此)，该.whereRaw容易受到攻击.

在这种情况下正确使用.whereRaw例如:

.whereRaw("?? like '%' || ? || '%'", ['description', term])

所有标识符正确加引号，并且term作为参数绑定发送到DB.

因此答案和添加到该答案的大多数注释都是错误的.

This is a follow up question to https://stackoverflow.com/a/50337990/1370984 .

It mentions knex('table').where('description', 'like', '%${term}%') as prone to sql injection attacks. Even a comment mentions the first case as prone to injection attacks. Yet the reference provided never mentions .where being prone to injection attacks.

Is this a mistake? Why would knex allow .where to be prone to injection attacks but not .whereRaw('description like \'%??%\'', [term]) . Aren't the arguments being parameterized in both cases?

解决方案

This is a follow up question to https://stackoverflow.com/a/50337990/1370984 .

It mentions knex('table').where('description', 'like', '%${term}%') as prone to sql injection attacks. Even a comment mentions the first case as prone to injection attacks. Yet the reference provided never mentions .where being prone to injection attacks.

I'm knex maintainer and I have commented there that

knex('table').where('description', 'like', `%${term}%`)

is NOT vulnerable to SQL injection attacks.

Is this a mistake? Why would knex allow .where to be prone to injection attacks but not .whereRaw('description like \'%??%\'', [term]) . Aren't the arguments being parameterized in both cases?

That .whereRaw is vulnerable when you interpolate values directly to sql string (like for example ?? identifier replacement does).

Correct use for .whereRaw in this case would be for example:

.whereRaw("?? like '%' || ? || '%'", ['description', term])

Where all identifiers are quoted correctly and term is sent to DB as parameter binding.

So the answer and most of the comments added to that answer are just plain wrong.

这篇关于knex.where容易受到SQL注入攻击吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！