¼¼Çɺ;÷ÇÏ£º·À·¶SQL×¢Èë¹¥»÷
¡¾ÔÎĵØÖ·¡¿Tip/Trick: Guard Against SQL Injection Attacks
¡¾ÔÎÄ·¢±íÈÕÆÚ¡¿ Saturday, September 30, 2006 9:11 AM
SQL×¢Èë¹¥»÷ÊǷdz£ÁîÈËÌÖÑáµÄ°²È«Â©¶´£¬ÊÇËùÓеÄweb¿ª·¢ÈËÔ±£¬²»¹ÜÊÇʲôƽ̨£¬¼¼Êõ£¬»¹ÊÇÊý¾Ý²ã£¬ÐèҪȷÐÅËûÃÇÀí½âºÍ·ÀÖ¹µÄ¶«Î÷¡£²»ÐÒµÄÊÇ£¬¿ª·¢ÈËÔ±ÍùÍù²»¼¯Öл¨µãʱ¼äÔÚÕâÉÏÃ棬ÒÔÖÁËûÃǵÄÓ¦Ó㬸üÔã¸âµÄÊÇ£¬ËûÃǵĿͻ§¼«ÆäÈÝÒ×Êܵ½¹¥»÷¡£
Michael Sutton ×î½ü·¢±íÁËһƪ·Ç³£·¢ÈËÉîÊ¡µÄÌû×Ó£¬½²ÊöÔÚ¹«¹²ÍøÉÏÕâÎÊÌâÊǶàôµØÆձ顣ËûÓÃGoogleµÄSearch API½¨ÁËÒ»¸öC#µÄ¿Í»§¶Ë³ÌÐò£¬Ñ°ÕÒÄÇЩÒ×ÊÜSQL ×¢Èë¹¥»÷µÄÍøÕ¾¡£Æä²½ÖèºÜ¼òµ¥£º
Ñ°ÕÒÄÇЩ´ø²éѯ×Ö·û´®µÄÍøÕ¾(ÀýÈ磬²éѯÄÇЩÔÚURLÀï´øÓÐ "id=" µÄURL)
¸øÕâЩȷ¶¨Îª¶¯Ì¬µÄÍøÕ¾·¢ËÍÒ»¸öÇëÇ󣬸ıäÆäÖеÄid=Óï¾ä£¬´øÒ»¸ö¶îÍâµÄµ¥ÒýºÅ£¬À´ÊÔͼȡÏûÆäÖеÄSQLÓï¾ä(ÀýÈ磬Èç id=6' )
·ÖÎö·µ»ØµÄ»Ø¸´£¬ÔÚÆäÖвéÕÒÏó“SQL” ºÍ“query”ÕâÑùµÄ´Ê£¬ÕâÍùÍù±íʾӦÓ÷µ»ØÁËÏêϸµÄ´íÎóÏûÏ¢(Õâ±¾ÉíÒ²ÊǺÜÔã¸âµÄ)
¼ì²é´íÎóÏûÏ¢ÊÇ·ñ±íʾ·¢Ë͵½SQL·þÎñÆ÷µÄ²ÎÊýûÓб»ÕýÈ·¼ÓÂë(encoded)£¬Èç¹ûÈç´Ë£¬ÄÇô±íʾ¿É¶Ô¸ÃÍøÕ¾½øÐÐSQL×¢Èë¹¥»÷
¶Ôͨ¹ýGoogleËÑÑ°ÕÒµ½µÄ1000¸öÍøÕ¾µÄËæ»úÈ¡Ñù²âÊÔ£¬Ëû¼ì²âµ½ÆäÖеÄ11.3%ÓÐÒ×ÊÜSQL×¢Èë¹¥»÷µÄ¿ÉÄÜ¡£Õâ·Ç³££¬·Ç³£µØ¿ÉÅ¡£ÕâÒâζןڿͿÉÒÔÔ¶³ÌÀûÓÃÄÇЩӦÓÃÀïµÄÊý¾Ý£¬»ñÈ¡ÈκÎûÓÐhashed»ò¼ÓÃܵÄÃÜÂë»òÐÅÓÿ¨Êý¾Ý£¬ÉõÖÁÓÐÒÔ¹ÜÀíÔ±Éí·ÝµÇ½½øÕâЩӦÓõĿÉÄÜ¡£Õâ²»½ö¶Ô¿ª·¢ÍøÕ¾µÄ¿ª·¢ÈËÔ±À´ËµºÜÔã¸â£¬¶øÇÒ¶ÔʹÓÃÍøÕ¾µÄÏû·ÑÕß»òÓû§À´Ëµ¸üÔã¸â£¬ÒòΪËûÃǸøÍøÕ¾ÌṩÁËÊý¾Ý£¬Ïë×ÅÍøÕ¾ÊÇ°²È«µÄÄØ¡£
ÄÇôSQL×¢Èë¹¥»÷µ½µ×ÊÇʲôÍæÒ⣿
Óм¸ÖÖÇéÐÎʹµÃSQL×¢Èë¹¥»÷³ÉΪ¿ÉÄÜ¡£×î³£¼ûµÄÔÒòÊÇ£¬Ä㶯̬µØ¹¹ÔìÁËSQLÓï¾ä£¬È´Ã»ÓÐʹÓÃÕýÈ·µØ¼ÓÁËÂë(encoded)µÄ²ÎÊý¡£Æ©È磬¿¼ÂÇÕâ¸öSQL²éѯµÄ±àÂ룬ÆäÄ¿µÄÊǸù¾ÝÓɲéѯ×Ö·û´®ÌṩµÄÉç»á±£ÏÕºÅÂë(social security number)À´²éѯ×÷Õß(Authors)£º
Dim SSN as String
Dim SqlQuery as String
SSN = Request.QueryString("SSN")
SqlQuery = "SELECT au_lname, au_fname from authors WHERE au_id = '" + SSN + "'"
Èç¹ûÄãÓÐÏóÉÏÃæÕâ¸öƬ¶ÏÒ»ÑùµÄSQL±àÂ룬ÄÇôÄãµÄÕû¸öÊý¾Ý¿âºÍÓ¦ÓÿÉÒÔÔ¶³ÌµØ±»ºÚµô¡£Ôõô»áÄØ£¿ÔÚÆÕͨÇéÐÎÏ£¬Óû§»áʹÓÃÒ»¸öÉç»á±£ÏÕºÅÂëÀ´·ÃÎÊÕâ¸öÍøÕ¾£¬±àÂëÊÇÏó
Ïà¹ØÎĵµ£º
1 :ÆÕͨSQLÓï¾ä¿ÉÒÔÓÃExecÖ´ÐÐ
Àý: Select * from tableName
Exec('select * from tableName')
& ......
Ò»¡¢±í½á¹¹²éѯ
SELECT TOP (100) PERCENT a.name AS zdm,COLUMNPROPERTY(a.id, a.name, 'IsIdentity') AS bs ,
CASE WHEN EXISTS (SELECT 1 from dbo.sysindexes si INNER JOIN dbo.sysindexkeys sik ON si.id = sik.id
AND si.indid = sik.indid INNER JOIN dbo.syscolumns sc ON sc.id = sik.id AND sc. ......
½¨±í£º
CREATE TABLE [DB.dbo].tableName
(Stud_id int CONSTRAINT constraintName1 not null primary key,
Name nvarchar(5) not null,
Birthday datetime,
Gender nchar(1),
Telcode char(12),
Zipcode char(6) CONSTRAINT constraintName2 CHECK(zipcode like [ ......
BEGIN TRANSACTION--¿ªÊ¼ÊÂÎñ
DECLARE @errorSun INT --¶¨Òå´íÎó¼ÆÊýÆ÷
SET @errorSun=0 --û´íΪ0
UPDATE a SET id=232 WHERE a=1 --ÊÂÎñ²Ù×÷SQLÓï¾ä
SET @errorSun=@errorSun+@@ERROR --ÀÛ¼ÆÊÇ·ñÓдí
UPDATE aa SET id=2 WHERE a=1 --ÊÂÎñ²Ù×÷SQLÓï¾ä
SET @errorSun=@errorSun+@@ERROR --ÀÛ¼ÆÊÇ·ñÓдí
I ......
¼ò½é
ÔÚÕâƪÎÄÕÂÖУ¬ÎÒÁоÙһЩsqlÓï¾äÀ´½éÉÜÊý¾Ý¿â£¬Êý¾Ý±í£¬ÊÓͼµÈµÈ¡£µ±ÎÒÃÇÔÚʹÓòéѯ²éѯ²Ù×÷ʱÕâЩsqlÓï¾ä¶¼ÊǷdz£ÓÐÓõġ£ËäÈ»ÔÚsql server¶ÔÏóä¯ÀÀÆ÷ÖÐÎÒÃÇÒ²¿ÉÒÔ»ñµÃÕâЩÓï¾ä£¬µ«ÊÇÈç¹ûÎÒÃÇдÕâЩÓï¾äʱÎÒÃÇ¿ÉÒÔ½«Ëü×Ô¶¨Òå¡£Õâ¾ÍÒâζ×ÅÎÒÃÇ¿ÉÒÔ¸øÓè×Ô¼ºµÄÐèÇóÀ´¹ýÂ˽á¹û¡£
sqlÓï¾äÁбí
ÈçºÎÁоÙsql serverµ±Ç°Á ......