SQL注入替换为单引号和验证整数 [英] SQL Injections with replace single-quotation and validate integers

问题描述

可能重复：结果
的我可以通过转义单引号和周围用单引号用户输入防止SQL注入？

我只是想知道，如果我更换每隔 与在用户输入，例如与string.replace（'，''），和验证号码（确保它们是数字，不包含任何其它字符），是SQL注入仍然是可能的？怎么样？

I just want to know, If I replace every ' with '' in user inputs, for instance string.Replace("'","''"), and validate numbers (make sure that they are numbers, and do not contain any other character), is SQL Injection still possible? How?

我使用动态SQL查询，使用的SqlCommand 。事情是这样的：

I'm using dynamic SQL queries, using SqlCommand. Something like this:

cmd.CommandText = "SELECT * FROM myTable WHERE ID = " + theID.ToString();

或

cmd.CommandText = "UPDATE myTable SET title='" + title.Replace("'","''") + "' WHERE ID = " + theID.ToString();

输入整数自动验证在ASP.NET MVC（检查他们是否是真正的数字）。

Input integers are automatically validated (checked whether they are a real number) in ASP.NET MVC.

推荐答案

如果这是编码这样的话，虽然不是最优的传统项目，我不知道目前任何方式它可以为每一个字符串以这种方式处理和查询都只是简单的，你已经证明，只要是容易受到SQL注入攻击。

If this is a legacy project that is coded this way then, whilst not optimal, I'm not currently aware of any way that it can be susceptible to SQL injection as long as every string is treated in that manner and the queries are just simple ones as you have shown.

我不能说出任何比这更多的确定性不过。如果不使用parametrised查询始终存在，有一些漏洞，你还没有考虑的可能性。

I cannot state any more certainty than that however. Without using parametrised queries there is always the possibility that there is some vulnerability that you have not yet considered.

手动去除引号自己是容易出错，并且可以在难以事先预料的方式有时会失败。例如，如下表所示。

Manually escaping the quotes yourself is error prone and can sometimes fail in ways that are difficult to anticipate in advance. For example with the following table

CREATE TABLE myTable(title VARCHAR(100))
INSERT INTO myTable VALUES('Foo')

和存储过程中使用动态SQL内置了字符串连接

And stored procedure using dynamic SQL built up with string concatenation

CREATE PROC UpdateMyTable
@newtitle NVARCHAR(100)
AS
/*
Double up any single quotes
*/
SET @newtitle = REPLACE(@newtitle, '''','''''')

DECLARE @UpdateStatement VARCHAR(MAX)

SET @UpdateStatement = 'UPDATE myTable SET title='''  + @newtitle + ''''

EXEC(@UpdateStatement)

您可以尝试以下

正常更新

EXEC UpdateMyTable N'Foo'
SELECT * FROM myTable /*Returns "Foo"*/

SQL注入企图挫败

EXEC UpdateMyTable N''';DROP TABLE myTable--'
SELECT * FROM myTable  /*Returns "';DROP TABLE myTable--"*/

SQL注入尝试成功并丢弃表

SQL Injection attempt succeeds and drops the table

EXEC UpdateMyTable N'ʼ;DROP TABLE myTable--'
SELECT * FROM myTable  /*Returns "Invalid object name 'myTable'."*/

这里的问题是，第三个查询通过 U + 02BC 而不是标准的撇号然后将串被分配给的varchar（最大）发生卫生后默默地转换成一个常规撇号。

The issue here is that the third query passes U+02BC instead of the standard apostrophe and then the string is assigned to a varchar(max) after the sanitation occurs which silently converts this to a regular apostrophe.

直到我读到这里 回答这个问题永远不会有发生在我身上。

Until I read the answer here that issue would never have occurred to me.

这篇关于SQL注入替换为单引号和验证整数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！