SQL 存储过程注入
SQL injection for Stored Procedure
我正在评估对我的 sp 进行 SQL 注射的可能性。
我曾尝试使用它进行 SQL 注入,但未能成功注入(这意味着注入文本已按正常方式插入到 table):
data'; DROP TABLE my_table; --
我应该如何尝试 SQL 注射?或者 SP 是如此安全以至于 SQL 以某种方式阻止了注入?
我降低的SP如下:
@ID int,
@AIType varchar(1),
@parent varchar(20),
@child varchar(20),
AS
BEGIN
SET NOCOUNT ON;
-- Insert statements for procedure here
BEGIN TRY
UPDATE AI_Grouping
SET AIType=@AIType,
parent=@parent,
child=@child,
WHERE ID=@ID
END TRY
BEGIN CATCH
-- Catch exceptions
END CATCH
END
编辑:
如果有帮助 - 在前端,我有一个与 SP 变量类型一致的字段长度验证。有些字段最多 8 个字符,有些最多 20 个字符(如上例)。也许我在上面尝试的注入示例是一个不好的示例,因为长度超过 20 个字符...
最终的问题是,我的 SP 是否容易受到 SQL 注入的攻击?
来自文章:How to write SQL injection proof PL/SQL
Distinguishing between compile-time-fixed SQL statement text and
run-time-created SQL statement text
We define the term compile-time-fixed SQL statement text to mean the text of a
SQL statement that cannot change at run time and that can be confidently
determined by reading the source code. More precisely, it is the text of a
SQL statement that is a PL/SQL static varchar2 expression14. The value of a
PL/SQL static varchar2 expression cannot change at run time and could be precomputed at compile time.
The SQL statement text for embedded SQL is composed by the PL/SQL
compiler and cannot change at run time. Therefore, embedded SQL definitely
executes only compile-time-fixed SQL statement text15.
However, it can easily be arranged that any of PL/SQL’s methods for executing
dynamic SQL will, at a particular call site, execute only compile-time-fixed SQL.
所以你的代码是安全的。
区分compiled-time-fixed SQL和运行-time-created SQL 这里有两个样本:
编译时间固定SQL
CREATE PROCEDURE remove_emp (p_employee_id NUMBER) AS
BEGIN
-- here the delete command is immutable, therefore sql injection safe
DELETE FROM employees
WHERE employees.employee_id = p_employee_id;
END;
运行-时间创建SQL
CREATE PROCEDURE remove_emp (p_employee_id VARCHAR2) AS
BEGIN
-- here the delete command is dynamically created allowing
-- sql injection
execute immediate 'DELETE FROM employees
WHERE employees.employee_id = ' || p_employee_id || ';';
END;
我正在评估对我的 sp 进行 SQL 注射的可能性。
我曾尝试使用它进行 SQL 注入,但未能成功注入(这意味着注入文本已按正常方式插入到 table):
data'; DROP TABLE my_table; --
我应该如何尝试 SQL 注射?或者 SP 是如此安全以至于 SQL 以某种方式阻止了注入?
我降低的SP如下:
@ID int,
@AIType varchar(1),
@parent varchar(20),
@child varchar(20),
AS
BEGIN
SET NOCOUNT ON;
-- Insert statements for procedure here
BEGIN TRY
UPDATE AI_Grouping
SET AIType=@AIType,
parent=@parent,
child=@child,
WHERE ID=@ID
END TRY
BEGIN CATCH
-- Catch exceptions
END CATCH
END
编辑:
如果有帮助 - 在前端,我有一个与 SP 变量类型一致的字段长度验证。有些字段最多 8 个字符,有些最多 20 个字符(如上例)。也许我在上面尝试的注入示例是一个不好的示例,因为长度超过 20 个字符... 最终的问题是,我的 SP 是否容易受到 SQL 注入的攻击?
来自文章:How to write SQL injection proof PL/SQL
Distinguishing between compile-time-fixed SQL statement text and run-time-created SQL statement text
We define the term compile-time-fixed SQL statement text to mean the text of a SQL statement that cannot change at run time and that can be confidently determined by reading the source code. More precisely, it is the text of a SQL statement that is a PL/SQL static varchar2 expression14. The value of a PL/SQL static varchar2 expression cannot change at run time and could be precomputed at compile time.
The SQL statement text for embedded SQL is composed by the PL/SQL compiler and cannot change at run time. Therefore, embedded SQL definitely executes only compile-time-fixed SQL statement text15.
However, it can easily be arranged that any of PL/SQL’s methods for executing dynamic SQL will, at a particular call site, execute only compile-time-fixed SQL.
所以你的代码是安全的。
区分compiled-time-fixed SQL和运行-time-created SQL 这里有两个样本:
编译时间固定SQL
CREATE PROCEDURE remove_emp (p_employee_id NUMBER) AS
BEGIN
-- here the delete command is immutable, therefore sql injection safe
DELETE FROM employees
WHERE employees.employee_id = p_employee_id;
END;
运行-时间创建SQL
CREATE PROCEDURE remove_emp (p_employee_id VARCHAR2) AS
BEGIN
-- here the delete command is dynamically created allowing
-- sql injection
execute immediate 'DELETE FROM employees
WHERE employees.employee_id = ' || p_employee_id || ';';
END;