我的书签
添加书签
移除书签Introduction
It represents a serious threat because SQL Injection allows evil attacker code to change the structure of a web application’s SQL statement in a way that can steal data, modify data, or potentially facilitate command injection to the underlying OS.
This cheat sheet is a derivative work of the .
Parameterized Query Examples
Using Java with Hibernate
@Entity // declare as entity;@NamedQuery(name="findByDescription",query="FROM Inventory i WHERE i.productDescription = :productDescription")public class Inventory implements Serializable {@Idprivate String productDescription;}// use case// This should REALLY be validated tooString userSuppliedParameter = request.getParameter("Product-Description");// perform input validation to detect attacksList<Inventory> list =session.getNamedQuery("findByDescription").setParameter("productDescription", userSuppliedParameter).list();// This should REALLY be validated tooString userSuppliedParameter = request.getParameter("Product-Description");// perform input validation to detect attacksInventory inv = (Inventory) session.createCriteria(Inventory.class).add(Restrictions.eq("productDescription", userSuppliedParameter)).uniqueResult();
Using .NET built-in feature
String query = "SELECT account_balance FROM user_data WHERE user_name = ?";try {OleDbCommand command = new OleDbCommand(query, connection);command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text));OleDbDataReader reader = command.ExecuteReader();// …} catch (OleDbException se) {// error handling}
string sql = "SELECT * FROM Customers WHERE CustomerId = @CustomerId";command.Parameters.Add(new SqlParameter("@CustomerId", System.Data.SqlDbType.Int));command.Parameters["@CustomerId"].Value = 1;
Using Ruby with ActiveRecord
Using Ruby built-in feature
insert_new_user = db.prepare "INSERT INTO users (name, age, gender) VALUES (?, ? ,?)"
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");$stmt->bindParam(':name', $name);$stmt->bindParam(':value', $value);
Using Cold Fusion built-in feature
<cfquery name = "getFirst" dataSource = "cfsnippets">SELECT * FROM #strDatabasePrefix#_courses WHERE intCourseID =<cfqueryparam value = #intCourseID# CFSQLType = "CF_SQL_INTEGER"></cfquery>
Using PERL with Database Independent Interface
Stored Procedure Examples
The SQL you write in your web application isn’t the only place that SQL injection vulnerabilities can be introduced. If you are using Stored Procedures, and you are dynamically constructing SQL inside them, you can also introduce SQL injection vulnerabilities.
To ensure this dynamic SQL is secure, you can parameterize this dynamic SQL too using bind variables.
Normal Stored Procedure
No dynamic SQL being created. Parameters passed in to stored procedures are naturally bound to their location within the query without anything special being required:
PROCEDURE SafeGetBalanceQuery(UserID varchar, Dept varchar) AS BEGINSELECT balance FROM accounts_table WHERE user_ID = UserID AND department = Dept;END;
Stored Procedure Using Bind Variables in SQL Run with EXECUTE
Bind variables are used to tell the database that the inputs to this dynamic SQL are ‘data’ and not possibly code:
PROCEDURE AnotherSafeGetBalanceQuery(UserID varchar, Dept varchar)AS stmt VARCHAR(400); result NUMBER;BEGINstmt := 'SELECT balance FROM accounts_table WHERE user_ID = :1AND department = :2';EXECUTE IMMEDIATE stmt INTO result USING UserID, Dept;RETURN result;END;
SQL Server using Transact-SQL
Normal Stored Procedure
PROCEDURE SafeGetBalanceQuery(@UserID varchar(20), @Dept varchar(10)) AS BEGINEND
Stored Procedure Using Bind Variables in SQL Run with EXEC
Bind variables are used to tell the database that the inputs to this dynamic SQL are ‘data’ and not possibly code:
