保护 Oracle 数据库免受 SQL 注入
[英]Protect Oracle database against SQL Injection
问题描述
I'm on Symfony and I don't know how protect my database against sql injection.
我在 Symfony 上,我不知道如何保护我的数据库免受 sql 注入。 If you have some idea, I will be gratefull.如果你有一些想法,我将不胜感激。
My function with sql :我的 sql 函数:
public function getResult($$value)
{
$sql = "SELECT SOMETHING FROM SOMETHING smt
WHERE smt.THING = '".$value."'";
return $this->egee->executeQuery($sql);
}
And here is my executeQuery funciton :这是我的 executeQuery 函数:
public function executeQuery($sql) {
$entityManager = $this->em->getConnection('xxx');
$stmt = $entityManager->prepare($sql);
$stmt->execute();
return $stmt->fetch();
}
I allready try with BindParam, but it's didn't work with Oracle.我已经尝试使用 BindParam,但它不适用于 Oracle。 With BindParam I have this response :使用 BindParam 我有这个回应:
Error 503 : Service Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems.错误 503:服务不可用 由于维护停机或容量问题,服务器暂时无法为您的请求提供服务。 Please try again later.请稍后再试。
2 个解决方案
解决方案1
2 已采纳 2020-01-20 15:50:14
Here's how you do it ... with any and every database: parameterized queries.这是你如何做到的......使用任何和每个数据库:参数化查询。
Your SQL string now becomes:您的 SQL 字符串现在变为:
SELECT SOMETHING FROM SOMETHING smt WHERE smt.THING = ?
Notice the ?注意? (which is not in quotes ... this is not a one-character literal string) This indicates a query parameter. (不在引号中……这不是单字符文字字符串)这表示查询参数。
Now, each time you execute the query, you supply an array() containing each of the parameter-values you want to substitute, in order left-to-right.现在,每次执行查询时,都会提供一个array()其中包含要替换的每个参数值,按从左到右的顺序。 Different values may be used each time the query is executed (without re-preparing it) , because these values are not "part of" the query: they are inputs.每次执行查询时可能会使用不同的值(无需重新准备) ,因为这些值不是查询的“一部分”:它们是输入。
No matter what the parameter-value contains, the database engine will never see it as anything other than the numeric or string value that it is.无论参数值包含什么,数据库引擎都不会将其视为数字或字符串值以外的任何内容。 It will never regard it as "part of the SQL."它永远不会将其视为“SQL 的一部分”。 Thus, SQL-injection becomes impossible.因此,SQL 注入变得不可能。
Furthermore, the [binary] value is used directly, instead of being decoded from a character string.此外,直接使用 [binary] 值,而不是从字符串中解码。 So, say, if you want to use quote-marks as part of your string parameter-value, you would not "encode" them with backslashes.因此,比如说,如果您想使用引号作为字符串参数值的一部分,您就不会用反斜杠“编码”它们。 (If you provided \\" , then "a backslash followed by a quote mark" is what SQL would see as the parameter's value ... a perfectly acceptable two-character value.) (如果您提供了\\" ,那么“反斜杠后跟引号”就是 SQL 将其视为参数值的内容……一个完全可以接受的两字符值。)
Here's a nice write-up:https://www.w3schools.com/php/php_mysql_prepared_statements.asp这是一篇不错的文章:https ://www.w3schools.com/php/php_mysql_prepared_statements.asp
解决方案2
0 2020-01-20 18:40:10
The documentation for Doctrine ORM in the Symfony manual shows an example of using a query parameter: Symfony 手册中的 Doctrine ORM 文档显示了使用查询参数的示例:
https://symfony.com/doc/current/doctrine.html#querying-with-sql https://symfony.com/doc/current/doctrine.html#querying-with-sql
$sql = '
SELECT * FROM product p
WHERE p.price > :price
ORDER BY p.price ASC
';
$stmt = $conn->prepare($sql);
$stmt->execute(['price' => $price]);
You don't need to use BindParam.您不需要使用 BindParam。 Just pass a hash array to execute() , where the hash keys are the named query parameter placeholders you put in your SQL query.只需将散列数组传递给execute() ,其中散列键是您放在 SQL 查询中的命名查询参数占位符。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.