Mysql 更改分隔符以获得更好的 SQL 注入处理? [英] Mysql change delimiter for better SQL INJECTION handling?

问题描述

我正在使用 mysql 并试图阻止那些将尝试使用我的单个查询运行多个查询的人的不需要的查询注入.即，例如，当我有参数?id=3"时，人们可以尝试使用 ="id=3;drop table users"

I am using mysql and trying to block unwanted queries injection of people who will try to use my single query to run several ones. ie, for example when i have the parameter "?id=3", people can try to run it with ="id=3;drop table users"

现在，我知道避免这种情况的最佳方法是解析和检查参数，但是有没有办法将连接的查询分隔符从;"更改为类似于%^#$%@#$^$"?

Now, i know that the best way to avoid this is by parsing and checking the parameter, but is there a way to change the concatenated queries delimiter from ";" to something like "%^#$%@#$^$"?

推荐答案

声明DELIMITER 配置是mysql客户端工具的内置命令.您不能更改 multi- 的分隔符声明.它总是分号.

The statement DELIMITER configuration is a built-in command only in the mysql client tool. You can't change the delimiter for multi-statements. It's always semicolon.

此外，默认情况下，MySQL API 一次只允许执行一个语句.除非您明确 启用多语句.

Also, the MySQL API allows execution of only one statement at a time, by default. The example you're talking about doesn't work unless you explicitly enable multi-statements.

此外，多语句并不是 SQL 注入的唯一向量.即使您可以更改语句分隔符，它也无法防止修改单个给定语句的 SQL 注入.

Furthermore, multi-statements isn't the only vector for SQL injection. Even if you could change the statement delimiter, it wouldn't do anything to protect against SQL injection that modifies a single given statement.

UPDATE Accounts SET PASSWORD = '...' WHERE account_id = $id

在本例中，如果 $id 的值为1234 OR 1=1"，那么攻击者已经更改了所有帐户的密码，其中可能包括特权帐户用户.但没有涉及多语句.

In this example, if $id has a value of "1234 OR 1=1" then the attacker has changed the password for all accounts, including probably a privileged user. And yet no multi-statements were involved.

您在编写代码时仍然需要注意安全问题.没有什么灵丹妙药可以防止 SQL 注入.

You still need to be mindful of security issues when you write code. There's no silver bullet to protect against SQL injection.

即使是查询参数也不是 SQL 注入的万能药.参数仅代替 SQL 表达式中的值.在许多常见情况下，仍然需要将应用程序变量插入到 SQL 字符串中.例如，在参数化 IN() 谓词时，或在选择 ORDER BY 表达式时.不要听那些说准备好的查询可以 100% 防止安全漏洞的人.

Even query parameters aren't a cure-all for SQL injection. Parameters take the place only of values in SQL expressions. There are many common cases where it's still necessary to interpolate application variables into an SQL string. For example, when parameterizing an IN() predicate, or when choosing ORDER BY expressions. Don't listen to people who say prepared queries are 100% proof against security flaws.

另见我的演示文稿 SQL 注入误区和谬误，或我书中关于 SQL 注入的章节，SQL 反模式:避免数据库编程的陷阱.

See also my presentation SQL Injection Myths and Fallacies, or the chapter on SQL Injection in my book, SQL Antipatterns: Avoiding the Pitfalls of Database Programming.

这篇关于Mysql 更改分隔符以获得更好的 SQL 注入处理?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！