SQL 注入:replace("'", "''") 不够好吗? [英] SQL injection: isn't replace("'", "''") good enough?
问题描述
虽然我当然可以看到为 SQL 查询使用参数的优势,尤其是在处理日期时间和类似的事情时,我仍然不确定参数是否是防止 SQL 注入的唯一方法.
事实是,我继承了一个应用程序,它具有类似
While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I'm still unsure about parameters as the only way to prevent SQL injection.
The fact is, I inherited an application and it has things like
"SELECT Field FROM Table WHERE Filter='"+userinput.Replace("'", "''")+"'"
到处都是.现在虽然我的眼睛看起来不太舒服,而且我不介意重写它们,但我的问题是,我需要吗?尽我所能,我看不到执行 SQL 注入的方法.
all over the place. Now while those doesn't look very pleasant to my eyes, and I wouldn't mind rewriting them, my question is, do I need to? Try as I might, I can't see a way to perform SQL injection with this.
推荐答案
不,这还不够.它会在紧要关头完成,但它是一个非常弱的替代方案,如果您的平台和/或 RDBMS 支持任一功能,则使用参数化查询或参数化存储过程会更好.
No, it is not enough. It will do in a pinch, but it is a very weak alternative, and using parameterized queries or parameterized stored procedures is better, if your platform and/or RDBMS support either feature.
来自
...与使用参数化查询相比,这种方法是脆弱的.这种技术只能谨慎地用于改造遗留系统以经济高效的方式编写代码.
...this methodology is frail compared to using parameterized queries. This technique should only be used, with caution, to retrofit legacy code in a cost effective way.
下面还有更多
这篇关于SQL 注入:replace("'", "''") 不够好吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
