预备语句和二阶SQL注入 [英] Prepared statements and second order SQL injections

问题描述

我在这里某处读到，在PDO中使用预准备语句使您的应用程序仅不受一阶SQL注入的影响，而不受二阶注入的影响.

我的问题是:如果我们在包括SELECT查询在内的所有查询中使用准备好的语句，而不仅是在INSERT查询中使用，那么怎么可能进行二阶sql注入?

例如，在以下查询中，没有机会进行二阶注入:

写:

INSERT INTO posts (userID,text,date) VALUES(?,?,?)

阅读:

SELECT * FROM posts WEHRE userID=?

删除:

DELETE FROM posts WHERE userID=?

解决方案

您所读的是普通垃圾.只是写了一点头绪都没有.

您不应将准备好的语句用于查询，而应将其用于数据.每次必须在查询中添加变量时，都必须仅通过占位符进行设置.因此，您的查询分离理论毫无意义:SELECT或ALTER或GRANT或其他无关紧要.唯一重要的是-是否有任何变量进入查询.

I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections.

My question is: if we used prepared statements in all queries inlcuding SELECT queries and not only in INSERT query, then how can a second order sql injection be possible?

For example in the following queries there is no chance for a 2nd order injection:

write:

INSERT INTO posts (userID,text,date) VALUES(?,?,?)

read:

SELECT * FROM posts WEHRE userID=?

delete:

DELETE FROM posts WHERE userID=?

解决方案

What you have read is a plain rubbish. Someone who wrote it just have no clue.

You should use prepared statements not for the query but for the data. Every time you have to add a variable into query, you have to make it via placeholder only. So, your query separation theory makes no sense: it doesn't matter if it SELECT or ALTER or GRANT or whatever. The only thing that matters - if any variable goes into query or not.

这篇关于预备语句和二阶SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！