跟随MySql存储过程易受sql注入影响吗?
[英]Are following MySql stored procedure vulnarable to sql injection?
问题描述
Read almost all the post on this but could not judge whether my procedures are vulnarable or not? 
阅读了几乎所有与此相关的文章,但无法判断我的程序是否易受攻击? Any help is appreciated. 任何帮助表示赞赏。
1)calling Procedure as: 1)呼叫程序为:
$query = ($is_mine?'call dispatch.dis_get_my_assigned_tasks("'.$username.'");'
Procedure : 程序:
CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_all_assigned_tasks`()
BEGIN
select distinct at_id, at_issues, at_location, at_room_number, user_fname,
from dispatch.dis_assigned_tasks
left outer join dispatch.dis_users
on user_id = at_user
order by at_location, at_user_pickup_timestamp desc;
END
2) calling Procedure as : 2)调用过程为:
$query = "call dispatch.dis_get_user_info('".$username."');";
Procedure : 程序:
CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_user_info`(IN username VARCHAR(45))
BEGIN
select * from dispatch.dis_users where user_username = username;
END
1 个解决方案
解决方案1
0 2013-08-28 19:31:03
The procedures are not vulnerable to SQL injection, but your queries are. 该过程不容易受到SQL注入的攻击, 但您的查询却很容易受到攻击。
To prevent (and learn about) SQL Injection, please see our reference question: 为了防止(并了解)SQL注入,请参阅我们的参考问题:
For "almost all the posts on this" you say you've read it looks like that they didn't cover the topic well. 对于“几乎所有与此相关的帖子”,您说您已阅读,似乎它们没有很好地涵盖该主题。 I suggest you to select better material to get education from. 我建议您选择更好的材料来接受教育。
- SQL Injection Prevention Cheat Sheet (You need to be able to read code written in different languages) SQL注入预防速查表 (您需要能够阅读用不同语言编写的代码)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.