[英]SQL injection when client is only selecting
According to this question , SQL injection is something one would have to prevent. 根据这个问题 ,SQL注入是必须防止的事情。 In an application where the user is only selecting from the database, how would this be a concern?
在用户仅从数据库中进行选择的应用程序中,这将成为一个问题吗?
Here are some examples of problems that SQL injection could allow even if the user is restricted to SELECT privilege: 以下是一些示例示例,即使用户被限制为SELECT特权,SQL注入也可能允许这些问题:
The attacker could read data intended to be read only by other users. 攻击者可能会读取旨在仅由其他用户读取的数据。 Many applications use the same MySQL user to connect, and then enforce further data-access restrictions with application code.
许多应用程序使用同一MySQL用户进行连接,然后对应用程序代码施加进一步的数据访问限制。 Ie I'm only supposed to see the shopping cart that I created.
即,我只应该看到我创建的购物车。 But with SQL injection, I could read everyone's shopping cart, their purchase history, their credit card number, and so on.
但是通过SQL注入,我可以读取每个人的购物车,他们的购买历史,他们的信用卡号等等。
The attacker could read the hashed passwords of other accounts, crack them (on his own computer), and then log in to another user with greater privileges. 攻击者可以读取其他帐户的哈希密码,(在自己的计算机上)破解它们,然后以更高的特权登录到另一个用户。
The attacker could run a denial-of-service attack by running a SELECT query that uses too many resources. 攻击者可以通过运行使用过多资源的SELECT查询来进行拒绝服务攻击 。 For example, on MySQL, the table
INFORMATION_SCHEMA.CHARACTER_SETS
is readable even for a user with no privileges. 例如,在MySQL上,即使没有权限的用户也可以读取表
INFORMATION_SCHEMA.CHARACTER_SETS
。 Now what is going to happen when the attacker runs this query: 现在,当攻击者运行此查询时将发生什么:
SELECT * FROM (SELECT * FROM CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS) AS t ORDER BY 1
It tries to create a temp table on disk for 2,839,760,855,281 rows. 它尝试在磁盘上为2,839,760,855,281行创建一个临时表。 I predict that will exhaust disk space on your server.
我预计这将耗尽服务器上的磁盘空间。
Your question sounds like you're fishing for a rationale for skipping writing safe code that protects against SQL injection. 您的问题听起来像是在寻找一种基本原理,以跳过编写防止SQL注入的安全代码。
Sorry, no dice. 抱歉,没有骰子。 You need to write safe code.
您需要编写安全的代码。
用户所做的任何会导致对数据源进行CRUD操作的操作都应视为危险操作,并应采取所有预防措施以防止SQL注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.