堆栈内存溢出
  简体   繁体   English

在SQL注入中,存储过程中的预准备语句是否安全?

[英]Is a prepared statement inside a stored procedure safe from SQL injection?

 原文  2011-08-28 10:26:26       php/ mysql/ stored-procedures/ sql-injection

问题描述

In MySQL is a prepared statement inside a stored procedure safe from SQL injection? 在MySQL中,是一个从SQL注入安全的存储过程中准备好的语句吗? See example below. 见下面的例子。 The get_info stored procedure is passed a table name (pTbl) and the where clause (pWhere). get_info存储过程传递一个表名(pTbl)和where子句(pWhere)。 pWhere can have many AND's (eg fld1="a" AND fld2="b" AND ...). p可以有多个AND(例如fld1 =“a”AND fld2 =“b”AND ...)。 It's probably not the best way to do it but I need to have dynamic sql. 它可能不是最好的方法,但我需要动态的SQL。 

CREATE PROCEDURE get_info(pTbl VARCHAR(10), pWhere TEXT)
BEGIN
    SET @uSQL = CONCAT('SELECT info FROM ',pTbl,' WHERE ',pWhere);
    PREPARE ps FROM @uSQL;
    EXECUTE ps;
END$$

I tried calling the stored procedure like below using MySQL Query Browser but only got an error back saying I have a syntax error in my SQL. 我尝试使用MySQL查询浏览器调用下面的存储过程但只返回错误,说我的SQL中有语法错误。 

CALL get_info('tbl','1=1;SELECT * FROM information_schema.TABLES;');

If it helps any the stored procedure is being called from PHP using PDO like below. 如果它有助于使用PDO从PHP调用任何存储过程,如下所示。 $tbl is a $_SESSION variable and $whr is a $_GET variable. $ tbl是$ _SESSION变量,$ whr是$ _GET变量。 

$s=$c->prepare("CALL get_info(?,?)");
$s->execute(array($tbl,$whr));

Is this stored procedure safe? 这个存储过程安全吗? If not, how would I inject it? 如果没有,我将如何注射它? Does it make a difference if I inject from MySQL Query Browser vs from a web page? 如果我从MySQL查询浏览器注入到网页,它会有所作为吗? Thanks... 谢谢...

3 个解决方案

解决方案1
 2  2011-08-28 10:58:49

Yes, it is safe. 是的,这是安全的。 (edit: no, it's not) (编辑:不,不是)

The crucial point is to know when is the SQL text analyzed and transformed into the semantic tree. 关键是要知道SQL文本何时被分析并转换为语义树。 Prepared statements are precisely that: statements that are prepared, just waiting for the arguments. 准备好的语句就是:准备好的语句,只是等待参数。 They're stored in the server fully compiled to the internal execution plan, with the 'holes' for the missing arguments. 它们存储在完全编译到内部执行计划的服务器中,缺少参数的“漏洞”。

That's why you're getting the syntax error, you're trying to set the whole WHERE part as an argument; 这就是为什么你得到语法错误,你试图将整个WHERE部分设置为参数; but it's a whole expression tree. 但它是一个完整的表达树。 The prepared statement can only have 'holes' for data elements, not for syntactic text. 准备好的语句只能有数据元素的“漏洞”,而不能用于语法文本。

The protocol that transfers the arguments is fully binary safe, no matter what you have in your argument variables, they'll be send as binary data and used only as data, not as part of the SQL command. 传递参数的协议是完全二进制安全的,无论你在参数变量中有什么,它们都将作为二进制数据发送并仅用作数据,而不是作为SQL命令的一部分。

edit ooops! 编辑 ooops! i've just noticed that you are doing text interpolation, just not in PHP but in SQL. 我刚刚注意到,你做文字插值,只是没有在PHP,但SQL。 That means you're constructing the SQL command later, using external data. 这意味着您将在以后使用外部数据构建S​​QL命令。

definitely unsafe. 绝对不安全。

解决方案2
 1  2011-08-28 10:57:49

Since one of the values comes from the user, some forms of SQL injection are possible; 由于其中一个值来自用户,因此可以使用某些形式的SQL注入; while only SELECT queries can be run, it is still possible to reveal information by passing 1=1 to the page. 虽然只能运行SELECT查询,但仍然可以通过将1=1传递给页面来显示信息。 The actual usefulness of the information revealed in this manner may be low, but it can still happen. 以这种方式显示的信息的实际有用性可能很低,但它仍然可能发生。

解决方案3
 1 已采纳  2011-08-28 10:58:47

Any time you interpolate a value into a statement there's the possibility of injection. 只要将值插入到语句中,就有可能注入。 The procedure is vulnerable. 该程序很脆弱。 The only general limitation with injection in SQL procedures and functions is that PREPARE works on a single statement. SQL过程和函数中注入的唯一一般限制是PREPARE在单个语句上工作。 In this specific case, that the injected text is after a WHERE clause in a SELECT basically limits attacks to sub-selects, UNION , calling procedures and functions (tricky but potentially very dangerous), and dumping to files (if the definer of get_info has the FILE privilege). 在这种特定情况下,注入的文本在SELECTWHERE子句之后基本上限制了对子选择, UNION ,调用过程和函数(棘手但可能非常危险)的攻击,并转储到文件(如果get_info的定义者有FILE特权)。

As an example, try: 例如,尝试: 

CALL get_info('tbl','1=0 UNION SELECT CONCAT(user, "@", host, " ", password) FROM mysql.user;');

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AJAX发布的带有准备好的语句对SQL注入安全吗? - Is post by AJAX with prepared statement safe from sql injection? PHP Prepared Statement 调用的存储过程中的Prepared Statement - Prepared Statement Inside Stored Procedure Called by PHP Prepared Statement 存储过程中的准备好的语句不起作用 - prepared statement inside stored procedure not working 尽管未准备好,但此SQL语句是否可以防止注入? - Is this SQL statement safe against injection despite not being prepared? 我是否可以通过使用存储过程而不是查询来避免 SQL 注入? - Am I safe from SQL Injection by using a stored procedure instead of query? 使用准备好的语句从存储过程中获取found_records的值 - getting the value of found_records from stored procedure with prepared statement 从准备好的语句调用的存储过程的INOUT参数失败 - INOUT parameter failure for stored procedure called from prepared statement 如何使用 PHP 和 PDO 以及准备好的语句创建安全(避免 SQL 注入)分页? - How to create safe (avoid SQL injection) pagination using PHP and PDO and prepared statement? 如何在存储过程中使用准备好的语句的结果 - How to use Result of prepared statement in the stored procedure 存储过程准备语句错误mysql php - stored procedure prepared statement bug mysql php
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM