是参数真是够prevent SQL注入? [英] Are Parameters really enough to prevent Sql injections?
问题描述
我一直$ P $的SO有关SQL查询中使用参数的善良paching既要我的同事在这里,尤其是在.NET应用程序。我甚至已经走了这么远,他们承诺为使免疫力对SQL注入攻击。
I've been preaching both to my colleagues and here on SO about the goodness of using parameters in SQL queries, especially in .NET applications. I've even gone so far as to promise them as giving immunity against SQL injection attacks.
但我开始怀疑,如果这确实是真的。是否有任何已知的SQL注入攻击,这将是对参数化查询全成?例如,您可以发送导致该服务器上的一个缓冲区溢出一个字符串?
But I'm starting to wonder if this really is true. Are there any known SQL injection attacks that will be successfull against a parameterized query? Can you for example send a string that causes a buffer overflow on the server?
当然还有其他方面的考虑,以确保Web应用程序是安全的(如消毒用户输入和所有的东西),但现在我想到的SQL注射。我在对2005年和2008因为他们是我的主数据库MSSQL袭击特别感兴趣,但所有的数据库都有趣。
There are of course other considerations to make to ensure that a web application is safe (like sanitizing user input and all that stuff) but now I am thinking of SQL injections. I'm especially interested in attacks against MsSQL 2005 and 2008 since they are my primary databases, but all databases are interesting.
编辑:为了澄清我所说的参数和参数化查询的意思。通过使用参数,我的意思是用变量,而不是在一个字符串建立SQL查询。
因此,与其这样做:
To clarify what I mean by parameters and parameterized queries. By using parameters I mean using "variables" instead of building the sql query in a string.
So instead of doing this:
SELECT * FROM Table WHERE Name = 'a name'
我们做到这一点:
SELECT * FROM Table WHERE Name = @Name
,然后将查询/命令对象。
and then set the value of the @Name parameter on the query / command object.
推荐答案
占位符足以prevent注射。你可能仍然是开放的缓冲区溢出,但是这是一个完全不同的味道从SQL注入攻击(攻击向量不会是SQL的语法,但二进制)。由于传递的参数都将被正确地转义,没有任何攻击者通过将像活SQL来处理数据。
Placeholders are enough to prevent injections. You might still be open to buffer overflows, but that is a completely different flavor of attack from an SQL injection (the attack vector would not be SQL syntax but binary). Since the parameters passed will all be escaped properly, there isn't any way for an attacker to pass data that will be treated like "live" SQL.
您不能使用函数中的占位符,而不能使用占位符作为列或表名,因为他们逃脱,引述字符串。
You can't use functions inside placeholders, and you can't use placeholders as column or table names, because they are escaped and quoted as string literals.
不过,如果你使用会是文字。使用其它类型的参数(如整数)是安全的。
However, if you use parameters as part of a string concatenation inside your dynamic query, you are still vulnerable to injection, because your strings will not be escaped but will be literal. Using other types for parameters (such as integer) is safe.
这是说,如果你使用的使用输入设置的类似值 security_level ,然后有人可能只是让自己管理员系统中,有一个自由对全部。但是,这只是基本的输入验证,并有无关SQL注入。
That said, if you're using use input to set the value of something like security_level, then someone could just make themselves administrators in your system and have a free-for-all. But that's just basic input validation, and has nothing to do with SQL injection.
这篇关于是参数真是够prevent SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
