MySQL是否比PostgreSQL(在Perl/DBI下)更能抵抗SQL注入攻击? [英] Is MySQL more resistant to SQL injection attack than PostgreSQL (under Perl/DBI)?
问题描述
我正在审查基于Linux的perl Web应用程序,其中包含无处不在的登录处理程序
I am reviewing a Linux based perl web application that contains a login handler with the ubiquitous
我的$ sth = $ DB-> prepare(从密码中选择密码,其中userid ='$ userid'")或死亡; $ sth->执行或死亡; ...
my $sth = $DB->prepare("SELECT password from passwords where userid='$userid'") or die; $sth->execute or die; ...
其中$ userid是根据(不安全,未经过滤的)网络用户输入初始化的.
where $userid is initialized from (unsafe, unfiltered) web user input.
众所周知,DBI文档建议将此代码更改为使用占位符?".代替"$ userid"以提高安全性.
It is well known that the DBI documentation recommends that this code should be changed to use the placeholder "?" in place of '$userid' for security.
出于安全审查的目的,此代码按原样隔离在网络外的盒子上.由于现在有扫描的机器人,最终在Internet服务器上的此类代码将被破解.针对此漏洞.访问控制对于保护任何重要的东西也无效,因为已知的注入会删除数据库,插入错误的数据或新用户,或者绕过访问控制以允许进入Web应用程序.
This code was isolated on an off network box, as-is, for the purpose of a security review. Code like this on an internet server will eventually be cracked as there are bots now that scan for this vulnerability. The access control is also ineffective for protecting anything important because known injections can delete databases, insert bad data or new users, or bypass the access control to allow entry to the web application.
由于可以将应用程序配置为使用PostgreSQL或MySQL,并且提出了有关比较漏洞的问题,因此我尝试了两个数据库,并尝试了一些SQL注入尝试来测试每个配置.
As the application can be configured to use either PostgreSQL or MySQL and questions were raised about comparative vulnerability I tried out both databases and tested each configuration with some SQL injection attempts.
在PostgreSQL下输入';在这里做坏事;和这里;会导致登录cgi崩溃,并执行错误的操作.
Under PostgreSQL an input of '; do bad stuff here; and here; would crash the login cgi as expected and execute the bad stuff.
出乎意料的是,MySQL抵制了这种攻击.这让我想知道是否为DBD :: MySQL或其他地方设置了某种设置,将每个调用的准备数限制为1条语句,或者是否以其他某种方式使MySQL具有抵抗力.
What was unexpected was that MySQL resisted this attack. This got me to wonder if there was a setting of some sort for DBD::MySQL or elsewhere that limited prepare to 1 statement per call, or was MySQL resistant in some other way.
据我了解,MySQL通常不耐SQL注入.
As I understand it MySQL is not SQL-injection resistant in general.
这不仅仅是关于消除SQL注入的技术的问题;为此,请参见如何避免SQL注入攻击?.
This is not a question purely about techniques for eliminating SQL injection; for that perhaps see How can I avoid SQL injection attacks?.
问题是:在PERL DBI下,MySQL是否比PostgreSQL更能抵抗PostgreSQL的SQL注入攻击?为什么会是这种情况?
The question is: Is MySQL somehow more resistant than PostgreSQL to SQL injection attack under the PERL DBI and why might this be the case?
推荐答案
默认情况下,MySQL客户端库似乎每次调用只限制一条语句(我在PHP中遇到过).
The MySQL client library seems to limit to one statement per call by default (I encountered it with PHP).
但这不是在PostgreSQL上使用MySQL的原因,因为您仍然可以使用子查询进行注入.
But that's shouldn't be a reason to use MySQL over PostgreSQL, since you can still inject by using subqueries.
这篇关于MySQL是否比PostgreSQL(在Perl/DBI下)更能抵抗SQL注入攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
