可能的SQL注入会删除带有存储过程的表?
[英]Possible SQL injection dropping a table with stored procedure?
问题描述
Given this MySQL stored procedure: 
鉴于此MySQL存储过程:
CREATE PROCEDURE customer.`getCustomers5`(
sdf varchar(1000)
)
BEGIN
set @se = concat('select * from customer.customertbl where id=', sdf);
PREPARE stm1 from @se;
EXECUTE stm1;
END;
Is it possible to do SQL injection into this store procedure even if the front end that called this stored procedure uses PDO parameter/data binding? 即使调用此存储过程的前端使用PDO参数/数据绑定,是否也可以将SQL注入该存储过程?
I need to build a query dynamically (dynamic where clause) before calling it. 我需要在调用它之前动态地建立一个查询(dynamic where子句)。
if it's possible to do SQL injection, is there any method to counter this problem? 如果可以进行SQL注入,是否有任何方法可以解决此问题?
2 个解决方案
解决方案1
2 2012-02-11 12:01:30
You are just using prepared statements wrong. 您只是在使用准备好的语句而已。
You have to bind parameters, not concatenate them. 您必须绑定参数,而不是串联它们。
DELIMITER //
CREATE PROCEDURE customer.`getCustomers5`(sdf varchar(1000))
BEGIN
PREPARE stm1 from 'select * from customer.customertbl where id=?';
SET @a = sdf;
EXECUTE stm1 using @a;
END//
DELIMITER ;
解决方案2
-1 已采纳 2012-02-11 10:56:51
If your parameter is varchar and you send a string, then yes, it is possible because even if you use PDO, it would still be a ANY string. 如果您的参数是varchar并且发送了字符串,那么可以,因为即使使用PDO,它仍然是ANY字符串。
You should define sdf as your id type (is it integer? if not, make it integer!) and then the PDO parameter will be escaped and avoid SQL Injection. 您应该将sdf定义为您的id类型(是否为整数?如果不是,请使其为整数!),然后将对PDO参数进行转义并避免SQL注入。
A good practice is to avoid creating dynamic queries in a Stored Procedure and build the query in your application. 好的做法是避免在存储过程中创建动态查询,并在应用程序中构建查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.