Firebase中的SQL注入 [英] SQL injection in firebase

问题描述

Firebase是一个noSQL数据库，其工作方式与SQL不同，因此我们如何清理数据?例如，即使在Firebase文档中，我似乎也找不到Firebase数据库的mysqli_real_escape_string命令.有人可以建议我吗?如果有人可以给我发送有关此主题的论坛链接等，也将不胜感激.急于了解这一点:>谢谢

Firebase is a noSQL database and works differently from SQL, so how we can sanitize the data? For example, i cant seem to find mysqli_real_escape_string command for firebase database even in firebase documentation. Can anyone advice me on this? Would also appreciate if anyone can drop me a forum link about this and etc. Hungry to know about this :> Thanks

推荐答案

Firebase实时数据库(和Firestore)不容易受到SQL注入攻击.

Firebase Realtime Database (and Firestore) isn't vulnerable to SQL injection attacks.

首先，了解什么是SQL注入攻击很有帮助.请阅读本文以帮助您理解.请注意，使用SQL注入，根本问题是开发人员必须编写代码才能构建要运行的SQL命令，并且攻击者可以巧妙地修改构建(如果执行不正确)，以执行他们想要的事情.

First, it's helpful to understand what SQL injection attacks are. Please read this article to help with your understanding. Note that with SQL injection, the root problem is that the developer writes code has to build a SQL command to run, and the build (if not performed correctly) can be subtly modified by an attacker to do what they want.

使用Firebase，您无需构建SQL命令(或由需要转义的由各个部分组成的任何字符串命令)来执行查询.而是使用SDK提供的API，并传递由API自动管理的字符串.这意味着SQL注入在这里不是问题.没有SQL注入是因为没有SQL(毕竟是noSQL！).

With Firebase, you don't build a SQL command (or any string command composed of various parts that require escaping) in order to execute a query. Instead, you use an API provided by the SDK, and pass strings that are automatically managed by the API. This means that SQL injection is not an issue here. There is no SQL injection because there is no SQL (it's noSQL after all!).

要确保最终用户对数据的访问权限超出其授权范围，则需要使用Firebase身份验证并实施

Ensure that end users have no more access to data than they are entitled, you need to use Firebase Authentication and implement security rules that describe who has access to what data.

这篇关于Firebase中的SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！