我可以通过使用参数来避免所有 SQL 注入攻击吗? [英] Can I avoid all SQL-injection attacks by using parameters?

问题描述

我可以通过使用参数来避免所有的 SQL 注入攻击吗?
在这种情况下，不要担心 SQL 注入中的任何事情?
或者是否有某些类型的此类攻击需要程序员更加小心?

Can I avoid all SQL-injection attacks by using parameters?
And don't worry about any thing in SQL injection in this case?
Or are there some types of these attacks which require more care on the part of the programmer?

推荐答案

不，您无法通过使用参数来避免所有 SQL 注入攻击.动态 SQL 才是真正的问题，这可能发生在存储过程和您的应用程序代码中.

No, you can't avoid all SQL injection attacks by using parameters. Dynamic SQL is the real issue, and this can occur in stored procedures as well as in your application code.

例如，这很容易受到 SQL 注入攻击:您的参数化查询将用户名传递给存储过程，并在存储过程中将参数连接到 SQL 命令然后执行.

E.g., this is prone to a SQL injection attack: your parameterized query passes a username to a stored procedure, and within the stored procedure the parameter is concatenated to a SQL command and then executed.

有关多种 SQL 注入攻击的示例，请参阅此 SQL 注入备忘单.您会看到，简单地转义单引号只是触及皮毛，而且有很多方法可以解决这个问题.

For an example of many kinds of SQL injection attacks, see this SQL Injection Cheat Sheet. You will see that simply escaping single quotes is just scratching the surface, and that there are many ways around that.

这篇关于我可以通过使用参数来避免所有 SQL 注入攻击吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！