防止在C ++ OTL,DTL或SOCI库中进行SQL注入
[英]Preventing SQL injection in C++ OTL, DTL, or SOCI libraries
问题描述
I've been looking at all three of these database libraries, and I'm wondering if they do anything to prevent SQL injection. 
我一直在关注这三个数据库库,我想知道他们是否做了什么来阻止SQL注入。 I'm most likely going to be building a lib on top of one of them, and injection is a top concern I have in picking one. 我很可能会在其中一个上面构建一个lib,而注入是我在选择一个时最关注的问题。 Anybody know? 有人知道吗?
2 个解决方案
解决方案1
5 已采纳 2010-06-30 18:57:53
Got with the author of the OTL library. 得到了OTL库的作者。 A parameterized query written in "OTL Dialect," as I'm calling it, will be passed to the underlying DB APIs as a parameterized query. 在我调用它时,用“OTL方言”编写的参数化查询将作为参数化查询传递给底层数据库API。 So parameterized queries would be as injection safe as the underlying APIs make them. 因此参数化查询将像底层API一样注入安全。
Go to this other SO post for his full e-mail explanation: Is C++ OTL SQL database library using parameterized queries under the hood, or string concat? 进入这个其他SO张贴了完整的电子邮件解释: 是C ++ OTL SQL数据库库使用遮光罩,或字符串连接在参数化查询?
Edit: SOCI uses the soci::use expression, which translates to the usual binding mechanism, but with more syntactic sugar . 编辑:SOCI使用soci soci::use表达式,它转换为通常的绑定机制,但具有更多的语法糖 。 Example: db_session << "insert into table(column) values(:value_placeholder)", use(user_input,"value_placeholder"); 示例: db_session << "insert into table(column) values(:value_placeholder)", use(user_input,"value_placeholder");
As far as DTL is concerned, I'm not sure what it do with parameters in relation to the underlying APIs. 就DTL而言,我不确定它对底层API的参数是做什么的。
解决方案2
1 2010-06-25 14:16:24
Generally a library at this level should just do what you tell it to. 通常,此级别的库应该按照您的说法执行操作。 You most prevent SQL injection by looking at strings you're provided by the user, and only passing things on to the library after you've sanitized them. 您最常通过查看用户提供的字符串来阻止SQL注入,并且只有在对它们进行清理后才将其传递给库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.