Like子句和sql注入 [英] Like clause and sql injection
本文介绍了Like子句和sql注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我对这种情况有疑问.
我在存储过程中有一个这样的查询:
I've a query like this within a Stored Procedure:
SELECT column1, column2
FROM table1
WHERE column1 like '%' + @column1 + '%'
我的问题是,这容易受到 SQL 注入的攻击吗?我是否需要将其更改为这样的:(?)
My question is, this is vulnerable to SQL Injection? Do I need to change this to something like this: (?)
declare @column1Like nvarchar(200);
@column1Like = '%' + @column1 + '%'
SELECT column1, column2
FROM table1
WHERE column1 like @column1Like
问候
推荐答案
答案是否定的.要容易受到 SQL 注入攻击,必须使用动态 SQL 执行.
The quick answer is no. To be vulnerable to SQL injection one must be using dynamic SQL execution.
这很容易受到攻击:
EXECUTE ('SELECT column1, column2 FROM table1 WHERE column1 like ' + @column1Like);
这也意味着您的两个示例之间没有真正的区别(至少从安全角度来看).
That also means there is no real difference between both of your examples (from a security standpoint at least).
这篇关于Like子句和sql注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文