[英]What happens to a parameterized query at database level
I am working on few SQL injection bugs flagged by one of vulnerability scanner and was looking at some of other implementations in application where parameterized queries been used for DB interactions .我正在研究由漏洞扫描器之一标记的少数 SQL 注入错误,并且正在研究应用程序中的一些其他实现,其中参数化查询用于数据库交互。
I observed in the profiler that all the parameterized queries are actually calling sp_executesql
procedure .So,我在探查器中观察到所有参数化查询实际上都在调用
sp_executesql
过程。所以,
1) Do all parameterized query implementations with any library are actually just calling this stored procedure ? 1) 是否所有带有任何库的参数化查询实现实际上只是调用这个存储过程?
2)If no then, is a parameterized query finally converted to just a normal string query and gets executed? 2)如果没有,那么参数化查询是否最终转换为普通的字符串查询并被执行?
I cannot answer 1).我无法回答 1)。 But you can pass the parameter names as well as a varying number of parameters to sp_executesql (Transact-SQL) .
但是您可以将参数名称以及不同数量的参数传递给sp_executesql (Transact-SQL) 。 So
sp_executesql
is not a limiting factor here.所以
sp_executesql
不是这里的限制因素。
Besides defeating SQL injection, this has the advantage that the database can cache the compiled query and reuse it the next time the same SQL command is executed, even with different parameter values.除了打败 SQL 注入之外,这还有一个优点,即数据库可以缓存已编译的查询,并在下次执行相同的 SQL 命令时重用它,即使使用不同的参数值。
Yet another advantage is that you don't have to care about the right representation of literals.另一个优点是您不必关心文字的正确表示。 This is especially valuable for date/time literals (which tends to be quite complicated because formats are culture specific and can vary otherwise).
这对于日期/时间文字特别有价值(这往往非常复杂,因为格式是特定于文化的,否则可能会有所不同)。 You don't need to care about escaping quotes in strings.
您不需要关心在字符串中转义引号。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.