[英]Demonstrate SQL injection in PL/pgSQL
I have this function in plpgsql: 我在plpgsql中具有以下功能:
CREATE OR REPLACE function login_v(em varchar, passwd varchar)
RETURNS users AS $$
DECLARE
cu users;
BEGIN
SELECT * into cu
FROM users where email = em
AND encrypted_password = crypt(passwd, encrypted_password);
return cu;
END
$$ LANGUAGE plpgsql;
When I provide an input like this: select login_v('test@test.com'' OR 1=1;--','la la la');
当我提供这样的输入时:
select login_v('test@test.com'' OR 1=1;--','la la la');
, I think my method should return the user with email test@test.com
. ,我认为我的方法应使用电子邮件
test@test.com
返回用户。 What Am I doing wrong? 我究竟做错了什么?
Performing SQL injection is necessary here to demonstrate the concept for an exercise, but I am an SQL injection and plpgsql boob. 这里需要执行SQL注入来演示练习的概念,但是我是SQL注入和plpgsql boob。 :|
:|
SQL queries in PL/pgSQL are planned like prepared statements. PL / pgSQL中的SQL查询的计划类似于准备好的语句。 As long as you only pass values like you do, SQL injection is generally impossible .
只要像您一样只传递值 ,通常就不可能进行 SQL注入。 Details:
细节:
Use dynamic SQL with EXECUTE
and without proper parameter handling to actually demonstrate SQL injection. 使用带有
EXECUTE
且没有适当参数处理的动态SQL来实际演示SQL注入。
Like (this is how not to do it!): 赞(这是多么不这样做!):
CREATE OR REPLACE FUNCTION login_v(em varchar, passwd varchar)
RETURNS SETOF users AS
$func$
BEGIN
RETURN QUERY EXECUTE
'SELECT *
FROM users
WHERE email = $1
AND encrypted_password = crypt(''' || passwd || ''', encrypted_password)'
USING em;
END
$func$ LANGUAGE plpgsql;
The first variable em
is properly passed with the USING
clause as value and thus cannot be abused for SQL injection. 第一个变量
em
正确地以USING
子句作为值传递,因此不能被滥用用于SQL注入。
But the second variable passwd
is improperly concatenated without properly escaping. 但是第二个变量
passwd
的连接不正确,没有正确转义。 Thus, user input can be converted to SQL code. 因此,用户输入可以转换为SQL代码。 SQL injection.
SQL注入。
Never use this! 永远不要使用这个! Except when demonstrating how not to do it.
除了在演示如何不这样做时。
Similar mischief is possible when concatenating SQL strings in the client improperly. 在客户端中不正确地连接SQL字符串时,可能会发生类似的恶作剧。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.