Windows 应用程序是否容易受到 SQL 注入攻击 [英] Can Windows App be Vulnerable to SQL Injection

问题描述

我最近遇到了一个 Windows 应用程序，它的内联 SQL 脚本的做法非常糟糕.是否容易发生 SQL 注入?

I recently came across a windows app which has a really bad practice of having inline SQL scripts. Can it be prone to SQL injection?

如果是，是否有任何工具可以快速消除漏洞?

if yes, are there any tools to discober the vulnerability quicky?

推荐答案

是的，Windows 应用程序也容易受到 SQL 注入攻击.
问题不是应用程序的类型，而是内联 sql 脚本也不是问题.
问题是当 sql 是从硬编码字符串和用户输入字符串动态构建时.事实上，即使是存储过程也可能容易受到 SQL 注入攻击.

Yes, windows apps can also be vulnerable to SQL injection attacks.
The problem is not the type of application, but inline sql scripts are also not the problem.
The problem is when the sql is built dynamically from hard coded strings and user input strings. In fact, even stored procedures might be vulnerable to SQL injection attacks.

以这个简单的程序为例:(警告:此代码不安全！)

Take for example this simple procedure: (Warning: This code is not safe!)

CREATE PROCEDURE sp_sqlInj
(
    @UserInput varchar(300)
)
AS

    DECLARE @Sql varchar(max)
    SET @Sql = 'SELECT * FROM Table WHERE x = '+ @UserInput
    EXEC(@Sql)
GO

如您所想，此过程对 SQL 注入攻击很开放.

As you can imagine, this procedure is wide open to SQL injection attacks.

这篇关于Windows 应用程序是否容易受到 SQL 注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！