SQL注入-存储过程调用(在iSeries上)没有危险吗? [英] SQL injection - no danger on stored procedure call (on iSeries)?

问题描述

我已经进行了一些搜索，但是我对SQL注入有一个特定的问题，希望我能得到一些输入，因为我相信我可能会在处理现场数据等方面走错了路:-

我有一个Java程序在iSeries上调用存储过程.该存储过程在后台具有CL/RPG代码.该存储过程通过参数来调用，其中数据来自网页.例如，该呼叫将如下所示:-

call library.prog('field1Value', 'field2Value')

我是否需要担心通过网站输入到"field1Value"等中的任何字符，还是因为它是存储过程调用，所以不存在SQL注入的危险吗?这是否取决于幕后RPG程序是否在其自己的SQL语句中使用"field1Value"作为该处理的一部分?

传递到程序中的字段长度是固定长度，因此，例如，我们无法将狡猾"字符转换为html等价字符.

对此表示赞赏(我预计这可能是一个愚蠢的问题！)反馈(不一定是特定于iSeries的反馈).

解决方案

除非您使用这些参数在proc本身中构造动态sql，否则应该没问题

您也无法通过检查参数来清理

请参见此处: SQL预告片.尝试保护这一点

下面是sql server语法

我可以这样调用proc

prDropDeadFred ' declare @d varchar(100) select @d = reverse(''elbaTdaB,elbatecin elbat pord'') exec (@d)'

或类似的

prDropDeadFred ' declare @d varchar(100) select @d = convert(varchar(100),0x64726F70207461626C65204E6963655461626C652C4261645461626C65) exec (@d)'

或您不知道的5000种其他方式

I've done some searching around but I have a specific question on SQL Injection and hope I can get some input as I believe I may be getting the wrong end of the stick to do with field data sanitising etc :-

I have a java program calling a stored procedure on an iSeries. The stored procedure has CL / RPG code behind the scenes. The stored procedure is called by way of parameters with the data coming from a web page. For example the call would look like the following:-

call library.prog('field1Value', 'field2Value')

Do I need to worry about any characters entered via the website into 'field1Value' etc or, because it is a stored procedure call, does the danger of sql injection not exist? Does it depend on whether the RPG program behind the scenes uses 'field1Value' in its own SQL statement as part of that processing?

The field lengths passed into the proecdure are fixed length so we cannot, for example, convert 'dodgy' characters into their html equivalent.

Appreciate any (I'm anticipating this might be a stupid question!) feedback (not necessarily iSeries specific) on this.

解决方案

unless you are using those parameters to construct dynamic sql in the proc itself you should be fine

also you cannot clean it by checking the parameters

see here: SQL teaser..try protecting this

below is sql server syntax

I can call a proc like this

prDropDeadFred ' declare @d varchar(100) select @d = reverse(''elbaTdaB,elbatecin elbat pord'') exec (@d)'

or like this

prDropDeadFred ' declare @d varchar(100) select @d = convert(varchar(100),0x64726F70207461626C65204E6963655461626C652C4261645461626C65) exec (@d)'

or 5000 other ways that you won't know about

这篇关于SQL注入-存储过程调用(在iSeries上)没有危险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！