FormsOf函数和SQL注入中的参数 [英] Parameters in the FormsOf function and SQL injection

问题描述

下面的SQL是否容易通过@SearchWord参数进行SQL注入？

我想使用带有FormsOf函数的参数，但唯一的指导是我发现是在这个堆栈溢出问题：如何将参数传递给在sql server中的FormsOf函数

然而，解决方案似乎是使用一点动态SQL，我想知道这是否会受到影响到SQL注入。如果@searchWord包含SQL注入类型字符串，会在下面的例子中发生什么？这是不是一个问题，因为它仍然是一个参数，作为参数传递给FREETEXTTABLE？

给出的解决方案是：

  DECLARE @SearchWord nvarchar（max）
 SET @SearchWord ='tax'
 
 DECLARE @SearchString nvarchar（max）
 SET @SearchString ='FormsOf（INFLECTIONAL，''+ @SearchWord +'）'
 
 SELECT listing_id，RANK，name，address，city，zip，heading，phone 
 FROM listings a ，
 FREETEXTTABLE（listing，*，@SearchString）
 WHERE [KEY] = a.listing_id 
 ORDER BY RANK DESC，name 
  

解决方案

不，它不易受影响。这里没有动态SQL（这需要使用 EXEC 或 sp_executesql ），所以没有用于SQL注入的向量。为了使SQL注入漏洞存在，用户提供的字符串（在本例中为 @SearchWord ）实际上必须直接插入到SQL语句的文本中。在这里，它仅用于构造另一个字符串变量，该变量随后用作另一个SQL语句的参数。

此语句可以，然而，失败如果用户输入一个无效搜索词，即一个包含单引号，那么您应该仍然可以转义任何传递给 @SearchWord 。但它不能用于执行任意SQL。

Is the following SQL susceptible to SQL injection via the @SearchWord parameter?

I want to use parameters with the FormsOf function, but the only guide to doing so I've found is in this Stack Overflow question: How to pass parameter to FormsOf function in sql server

However the solution seems to be to use a bit of dynamic SQL, and I was wondering if that would be susceptible to SQL injection. What would happen in the following example if @searchWord contained a SQL injection type string? Is it not a problem because it's still within a parameter, passed as an argument to FREETEXTTABLE?

The solution given is:

DECLARE @SearchWord nvarchar(max)
SET @SearchWord = 'tax'

DECLARE @SearchString nvarchar(max)
SET @SearchString = 'FormsOf(INFLECTIONAL, "' + @SearchWord + '")'

SELECT listing_id, RANK, name, address, city, zip, heading, phone 
FROM listings a, 
FREETEXTTABLE(listings, *, @SearchString)
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name

解决方案

No, it's not susceptible. There's no dynamic SQL here (that would require either using EXEC or sp_executesql), so there's no vector for SQL injection.

In order for a SQL injection vulnerability to exist, the user-supplied string (in this case @SearchWord) must actually be inserted directly into the text of the SQL statement. Here, it's only being used to construct another string variable, which is subsequently used as a parameter to another SQL statement.

This statement can, however, fail if the user inputs an "invalid" search word, i.e. one containing single quotes, so you should probably still escape whatever value is passed to @SearchWord. But it cannot be used to execute arbitrary SQL.

这篇关于FormsOf函数和SQL注入中的参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！