SQL Injection - select * from table where column in (
Question
I have a statement similar to this, where 'name' can be inserted
select * from table where column in (/**name*/ 'name')
I am currently checking for ')' .
ex. they can put in '*/; drop table--' '*/; drop table--' , but sql will throw error because no parentheses right?
If they cannot close the parentheses, is there still a security risk?
4 answers
solution1
3 2012-12-14 00:34:27
Why risk it? Always use SQL query parameters for dynamic values, then you don't need to worry about escaping or whether you're at risk.
If you specify what programming language and RDBMS brand you're using, I'll point you to a resource with examples of using query parameters.
solution2
2 2012-12-14 00:31:20
Yes - what if they terminate the statement (albeit invalid), and then execute their own?
This works (tested it locally on mysql):
select * from TABLE where (col = ''; select * from TABLE;
The first statement generates an error, but the second statement runs fine.
solution3
0 2012-12-14 00:31:59
Yes.
If I take your post literally, you want to insert name in two places, once in the comment and once in the text string:
select * from table where column in (/**/select column from table where column !=/**/ '/select column from table where column !=/*');
solution4
-1 2012-12-14 00:31:08
Always escape any user-inputted data.
mysqli_real_escape_string
Or old school
mysql_real_escape_string
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.