这是 SQL 注入攻击的一个例子吗? [英] Is this an example of an SQL Injection Attack?
问题描述
我为客户开发了一个网站,他们将在其中在线发布他们的商品图片.网址是 www.domiainname.com/item-details.cfm?sku=125.有人试图浏览 www.domiainname.com/item-details.cfm?sku=125%20and%203=3 并导致我收到通知的错误.
I developed a web site for a client where they will post images of their merchandise online. The url is www.domiainname.com/item-details.cfm?sku=125. Someone tried browsing to www.domiainname.com/item-details.cfm?sku=125%20and%203=3 which produced and error in which I'm notified.
我还收到以下错误报告:
I've also received error reports of:
item-details.cfm?sku=1291+or+1=@@version--
item-details.cfm?sku=1291'+or+1=@@version
item-details.cfm?sku=1291+or+1=@@version
最后三个例子肯定是有人试图进入系统,对吧?
The last three examples are definitely of someone trying to get into the system, right?
如果我们将其转换为存储过程,是否会降低或消除插入攻击的风险?
If we converted this to be stored procedures, would that reduce or eliminate the risk of insertion attacks?
推荐答案
是的,看来有人恶意.
使用 cfqueryparam 将防止 SQL 注入攻击.如有疑问(这是 CF),请询问 Ben:
Using cfqueryparam will prevent SQL-injection attacks. When in doubt (and it's CF), ask Ben:
例子:
<cfquery ...>
SELECT *
FROM Products
WHERE SKU=<cfqueryparam value="#URL.SKU#" cfsqltype="CF_SQL_INTEGER">
</cfquery>
这篇关于这是 SQL 注入攻击的一个例子吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
