在sql注入方案中格式化函数vs参数？ [英] Format function vs Parameters in sql injection scenarios?

问题描述

我知道sql语句中参数的用法，但是出于好奇，使用Format函数来防止sql注入而不是使用参数是安全的。

I know about the uses of parameters in sql sentences, But just for curiosity is safe to use the Format function to prevent sql injections instead of use paramters.

like此示例

sCustomer : string
begin
 AdoSql.CommandText:=Format('Select SUM(value) result from invoices where customer=%s',[QuotedStr(sCustomer)]);
end;

推荐答案

可能可以防止SQL注入，假设 QuotedStr 可以按预期工作，并且没有任何极端情况可以破坏它。 （这绝不能保证。正如Linas在评论中指出的那样，MySql允许您使用 \'来避开引号。其他DBMS可能具有类似的功能。攻击者

That would probably be secure against SQL injection, assuming QuotedStr works as expected and there are no edge cases that can break it. (Which is by no means guaranteed. As Linas pointed out in a comment, MySql lets you use \' to escape out quotes. Other DBMSs probably have similar capabilities. An attacker with enough theoretical knowledge of the system would be able to exploit them.)

但是，即使QuotedStr足够好，出于其他原因使用参数还是更好：性能。当您从查询中分离参数时，最终可能会使用不同的参数多次发送完全相同的查询代码。如果这样做，数据库可以缓存它在计算查询时所做的许多工作，因此您的数据库访问速度更快。当您将参数混合到查询代码本身中时，这是行不通的（至少不行）。

However, even if QuotedStr was good enough, it's still better to use parameters for a different reason: performance. When you separate your parameters from your query, you can end up sending the exact same query code multiple times with different parameters. If you do that, the database can cache a lot of the work it does in computing the query, so your DB access gets faster. That doesn't work (or at least not as well) when you mix the parameters into the query code itself.

这篇关于在sql注入方案中格式化函数vs参数？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！