用户通过身份验证后,我应该关心 sql 注入吗?
[英]Should I care about sql injection after user has been authenticated?
问题描述
Does make sense to check on malicious SQL input from an authenticated user?
检查来自经过身份验证的用户的恶意 SQL 输入是否有意义?
2 个解决方案
解决方案1
1 已采纳 2022-01-04 12:20:09
An authenticated user can inject queries that bypasses his security settings if such a query doesn't enforce security checks on fields/objects.如果此类查询不对字段/对象强制执行安全检查,则经过身份验证的用户可以注入绕过其安全设置的查询。 Also if a class is defined as without sharing, a simple where clause addition such as OR id != null into the query can fetch records that he should not be having access to such as salary statements of his colleagues!!此外,如果将 class 定义为不共享,则在查询中添加简单的 where 子句(例如OR id != null可以获取他不应访问的记录,例如同事的工资报表!
So in conclusion, all queries must be checked for sql injection.所以总而言之,必须检查所有查询是否有 sql 注入。
解决方案2
0 2022-01-04 12:30:34
If authenticated end user drop any data table, then in your view it is not necessary to care about injection, so there is no need to care about that.如果经过身份验证的最终用户删除了任何数据表,那么在您看来,没有必要关心注入,因此无需关心。
解决方案3
0 2022-01-13 04:44:24
Many SQL injection vulnerabilities are not malicious attacks, and won't result in damage.许多SQL注入漏洞不是恶意攻击,不会造成破坏。 They just result in unnecessary errors that confuse your users and spoil your application's features.它们只会导致不必要的错误,使您的用户感到困惑并破坏您的应用程序的功能。
SELECT * FROM Users WHERE last_name = 'O'Reilly'
^ mismatched quote
Why would you ever not write your code to avoid SQL injection?你为什么不编写代码来避免 SQL 注入?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.