Like子句和sql注入 [英] Like clause and sql injection

查看：77 发布时间：2021/9/10 18:59:50 sql tsql

本文介绍了Like子句和sql注入的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

我对这种情况有疑问.

我在存储过程中有一个这样的查询:

I've a query like this within a Stored Procedure:

SELECT column1, column2
FROM table1
WHERE column1 like '%' + @column1 + '%'

我的问题是，这容易受到 SQL 注入的攻击吗?我是否需要将其更改为这样的:(?)

My question is, this is vulnerable to SQL Injection? Do I need to change this to something like this: (?)

declare @column1Like nvarchar(200);

@column1Like = '%' + @column1 + '%'

SELECT column1, column2
FROM table1
WHERE column1 like @column1Like

问候

答案是否定的.要容易受到 SQL 注入攻击，必须使用动态 SQL 执行.

The quick answer is no. To be vulnerable to SQL injection one must be using dynamic SQL execution.

这很容易受到攻击:

EXECUTE ('SELECT column1, column2 FROM table1 WHERE column1 like ' + @column1Like);

这也意味着您的两个示例之间没有真正的区别(至少从安全角度来看).

That also means there is no real difference between both of your examples (from a security standpoint at least).

这篇关于Like子句和sql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文