如果我使用存储过程，我是否对 SQL 注入免疫? [英] Am I immune to SQL injections if I use stored procedures?

问题描述

让我们谈谈 MySQL 数据库(如果重要的话).

Lets say on MySQL database (if it matters).

推荐答案

不，您不会完全安全.正如其他人提到的，参数化查询总是可行的方法——无论您如何访问数据库.

No, you will not be completely safe. As others have mentioned, parameterized queries are always the way to go -- no matter how you're accessing the database.

有点像都市传说，有了触发你就安全了.我认为人们陷入这种错觉的原因是因为大多数人认为您将使用代码中的参数化查询调用过程.但是，如果您不这样做，例如，如果您执行以下操作，那么您就大开眼界了:

It's a bit of an urban legend that with procs you're safe. I think the reason people are under this delusion is because most people assume that you'll call the procs with parameterized queries from your code. But if you don't, if for example you do something like the below, you're wide open:

SqlCommand cmd = new SqlCommand("exec @myProc " + paramValue, con);
cmd.ExecuteNonQuery();

因为您使用的是来自最终用户的未经过滤的内容.再一次，他们所要做的就是终止该行(;")，添加他们的危险命令，然后砰的一声——你被灌输了.

Because you're using unfiltered content from the end user. Once again, all they have to do is terminate the line (";"), add their dangerous commands, and boom -- you're hosed.

(顺便说一句，如果您在网络上，请不要从浏览器的查询字符串中获取未经过滤的垃圾——这使得对您的数据做极其糟糕的事情变得非常容易.)

(As an aside, if you're on the web, don't take unfiltered junk from the query string of the browser -- that makes it absurdly easy to do extremely bad things to your data.)

如果您参数化查询，您的状态会好得多.但是，正如这里的其他人所提到的，如果您的 proc 仍在生成动态 SQL 并执行它，则可能仍然存在问题.

If you parameterize the queries, you're in much better shape. However, as others here have mentioned, if your proc is still generating dynamic SQL and executing that, there may still be issues.

我应该注意，我不是反过程.Procs 对于解决某些数据访问问题非常有帮助.但是 procs 不是SQL 注入的银弹解决方案.

I should note that I'm not anti-proc. Procs can be very helpful for solving certain problems with data access. But procs are not a "silver-bullet solution to SQL injections.

这篇关于如果我使用存储过程，我是否对 SQL 注入免疫?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！