防sql注入之参数绑定 SQL Injection Attacks and Defense
http://php.net/manual/zh/pdo.prepared-statements.php
预处理语句与存储过程
很多更成熟的数据库都支持预处理语句的概念。什么是预处理语句?可以把它看作是想要运行的 SQL 的一种编译过的模板,它可以使用变量参数进行定制。预处理语句可以带来两大好处:
- 查询仅需解析(或预处理)一次,但可以用相同或不同的参数执行多次。当查询准备好后,数据库将分析、编译和优化执行该查询的计划。对于复杂的查询,此过程要花费较长的时间,如果需要以不同参数多次重复相同的查询,那么该过程将大大降低应用程序的速度。通过使用预处理语句,可以避免重复分析/编译/优化周期。简言之,预处理语句占用更少的资源,因而运行得更快。
- 提供给预处理语句的参数不需要用引号括起来,驱动程序会自动处理。如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。(然而,如果查询的其他部分是由未转义的输入来构建的,则仍存在 SQL 注入的风险)。
预处理语句如此有用,以至于它们唯一的特性是在驱动程序不支持的时PDO 将模拟处理。这样可以确保不管数据库是否具有这样的功能,都可以确保应用程序可以用相同的数据访问模式。
http://php.net/manual/en/pdo.prepared-statements.php
Prepared statements and stored procedures
Many of the more mature databases support the concept of prepared statements. What are they? They can be thought of as a kind of compiled template for the SQL that an application wants to run, that can be customized using variable parameters. Prepared statements offer two major benefits:
- The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will analyze, compile and optimize its plan for executing the query. For complex queries this process can take up enough time that it will noticeably slow down an application if there is a need to repeat the same query many times with different parameters. By using a prepared statement the application avoids repeating the analyze/compile/optimize cycle. This means that prepared statements use fewer resources and thus run faster.
- The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).
Prepared statements are so useful that they are the only feature that PDO will emulate for drivers that don't support them. This ensures that an application will be able to use the same data access paradigm regardless of the capabilities of the database.
w pdo
业务驱动技术
<?php
$ReadParametersList = array('w_start_unix', 'w_count', 'CreatedAfter', 'CreatedBefore','NextToken');
foreach ($ReadParametersList as $w) {
$wfile = 'D:\cmd\\' . $w . '.w';
$handle = fopen($wfile, 'r');
$wb = fread($handle, filesize($wfile));
echo $wb . "\r\n";
} try {
$dbh = new PDO('mysql:host=localhost;dbname=apiamz',"root", "root");
$sql = 'SELECT COUNT(*) FROM listorders';
foreach($dbh->query($sql) as $row) {
print_r($row);
}
$dbh = null;
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
} die();
w
SQL Injection Attacks and Defense
Second Edition
Using parameterized statements
As we discussed in previous chapters, one of the root causes of SQL injection is the creation of
SQL queries as strings that are then sent to the database for execution. This behavior,
commonly known as dynamic string building or dynamic SQL, is one of the primary causes of
an application being vulnerable to SQL injection.
As a more secure alternative to dynamic string building, most modern programming
languages and database access application program interfaces (APIs) allow you to provide
parameters to a SQL query through the use of placeholders, or bind variables, instead of
working directly with the user input. Commonly known as parameterized statements, these are
a safer alternative that can avoid or solve many of the common SQL injection issues you will
see within an application, and you can use them in most common situations to replace an
existing dynamic query. They also have the advantage of being very efficient on modern
databases, as the database can optimize the query based on the supplied prepared statement,
increasing the performance of subsequent queries.
I should note, however, that parameterized statements are a method of supplying potentially
insecure parameters to the database, usually as a query or stored procedure call. They do not
alter the content of the values that are passed to the database, though, so if the database
functionality being called uses dynamic SQL within the stored procedure or function
implementation it is still possible for SQL injection to occur. This has historically been a
problem with Microsoft SQL Server and Oracle, both of which have shipped with a number of
built-in stored procedures that were vulnerable to SQL injection in the past, and it is a danger
that you should be aware of with any database stored procedures or functions that use dynamic
SQL in their implementation. An additional issue to consider is that malicious content could
have been stored in the database at this point that may then be used elsewhere in the
application, causing SQL injection at another point in the application. We discussed this in
Chapter 7, in “Exploiting second-order SQL injection.”
Here is an example of a vulnerable piece of login page pseudocode using dynamic SQL. We
will discuss how to parameterize this code in Java, C#, and PHP in the following sections: Username = request(“username”)
Password = request(“password”)
Sql = “SELECT
∗
FROM users WHERE username=’” + Username + “‘ AND password=’”+ Password + “’”
Result = Db.Execute(Sql)
If (Result) /
∗
successful login
∗
/
Tools & traps…
What Can be Parameterized, and What Can’t?
Not all dynamic SQL statements can be parameterized. In particular, you can parameterize only data values, and
not SQL identifiers or keywords. Therefore, you can’t have parameterized statements such as the following:
SELECT
∗
FROM ? WHERE username = ‘john’
SELECT ? FROM users WHERE username = ‘john’
SELECT
∗
FROM users WHERE username LIKE ‘j%’ ORDER BY ?
Unfortunately, a common solution presented in online forums to solve this problem is to use dynamic SQL in
the string that is then used to parameterize the query, as in the following example:
String sql = “SELECT
∗
FROM ” + tbl Name + “ WHERE user =?”;
In this case, you can end up introducing an SQL injection issue where there previously wasn’t one by trying to
parameterize a statement.
In general, if you’re trying to supply an SQL identifier as a parameter, you should look at your SQL and how
you’re accessing your database first, and then look at whether it is possible to rewrite the query using a fixed
identifier. Although it may be possible to solve this through the use of dynamic SQL, this is also likely to
adversely affect the performance of the query, as the database will not be able to optimize the query. If dynamic
SQL is required, ensure that known value validation (discussed later in this chapter) is performed to validate
identifiers in the database metadata where possible.
防sql注入之参数绑定 SQL Injection Attacks and Defense的更多相关文章
- 防sql注入之参数绑定 SQL Injection Attacks and Defense 预处理语句与存储过程
http://php.net/manual/zh/pdo.prepared-statements.php 预处理语句与存储过程 很多更成熟的数据库都支持预处理语句的概念.什么是预处理语句?可以把它看作 ...
- 黑马程序员_ADO.Net(ExecuteReader,Sql注入与参数添加,DataSet,总结DataSet与SqlDataReader )
转自https://blog.csdn.net/u010796875/article/details/17386131 一.执行有多行结果集的用ExecuteReader SqlDateReader ...
- js防止sql注入的参数过滤
js防止sql注入的参数过滤 <script language="javascript"> <!-- var url = location.search; var ...
- Exploiting second-order SQL injection 利用二阶注入获取数据库版本信息 SQL Injection Attacks and Defense Second Edition
w SQL Injection Attacks and Defense Second Edition Exploiting second-order SQL injection Virtually ...
- sql注入学习笔记,什么是sql注入,如何预防sql注入,如何寻找sql注入漏洞,如何注入sql攻击 (原)
(整篇文章废话很多,但其实是为了新手能更好的了解这个sql注入是什么,需要学习的是文章最后关于如何预防sql注入) (整篇文章废话很多,但其实是为了新手能更好的了解这个sql注入是什么,需要学习的是文 ...
- Statement和PreparedStatement的区别; 什么是SQL注入,怎么防止SQL注入?
问题一:Statement和PreparedStatement的区别 先来说说,什么是java中的Statement:Statement是java执行数据库操作的一个重要方法,用于在已经建立数据库连接 ...
- Statement和PreparedStatement的区别; 什么是SQL注入,怎么防止SQL注入? (转)
问题一:Statement和PreparedStatement的区别 先来说说,什么是java中的Statement:Statement是java执行数据库操作的一个重要方法,用于在已经建立数据库连接 ...
- 【sql注入】浅谈sql注入中的Post注入
[sql注入]浅谈sql注入中的Post注入 本文来源:i春秋学院 00x01在许多交流群中,我看见很多朋友对于post注入很是迷茫,曾几何,我也是这样,因为我们都被复杂化了,想的太辅助了所以导致现在 ...
- [转]SQL注入漏洞及绑定变量浅谈
1.一个问题引发的思考 大家在群里讨论了一个问题,奉文帅之命写篇作文,且看: String user_web = "user_web" String sql = "upd ...
随机推荐
- 每日一个机器学习算法——LR(逻辑回归)
本系列文章用于汇集知识点,查漏补缺,面试找工作之用.数学公式较多,解释较少. 1.假设 2.sigmoid函数: 3.假设的含义: 4.性质: 5.找一个凸损失函数 6.可由最大似然估计推导出 单个样 ...
- Maven 命令行创建项目时 Could not find goal ‘create’ in plugin org.apache.maven.plugins:...
使用maven3.3.9 版本,进行命令行创建项目时输入以下命令创建失败 mvn archetype:create -DgroupId=com.zang.maven -DartifactId=sys ...
- 网站定时任务IIS配置
网站中的定时任务一般是必不可少的,具体的实现方法此文不做详细说明,如有需要了解的请留言.本文主要讲述定时任务有关IIS中的设置. 如果一个网站在20分钟内(IIS默认为20分钟)没有客户端访问,服务器 ...
- 什么时候使用PHP设计模式和为什么要使用?
有大量的文章解释什么是设计模式,如何实现设计模式,网络上不需要再写一篇这样的文章.相反,在本文中我们更多的讨论什么时候用和为什么要用,而不是用哪一个和如何使用. 我将会为这些设计模式描绘不同的场景和案 ...
- Subversion和TortoiseSVN安装与配置(转)
Subversion为版本控制软件的服务器端. TortoiseSVN为版本控制软件的客户端. 1.下载Subversion与TortoiseSVN. Subversion的地址:http://sub ...
- Atitit.编程语言原理---方法重载的实现与设计 调用方法的原理
Atitit.编程语言原理---方法重载的实现与设计 调用方法的原理 1. 重载包括:普通方法的重载和构造方法的重载 1 1.1. 横向重载”和“纵向重载”1 1.2. 方法签名通过 方法名称,参数 ...
- 基于RocketIO的高速串行协议设计与实现
随着对信息流量需求的不断增长, 传统并行接口技术成为进一步提高数据传输速率的瓶颈.过去主要用于光纤通信的串行通信技术—SERDES正在取代传统并行总线而成为高速接口技术的主流.SERDES 是串行器) ...
- [ci]gitlab安装配置(含gitlab邮件配置)
gitlab安装配置 参考: https://www.unixhot.com/article/48 原则:简单维护为准,故yum安装gitlab 1,gitlab安装 2,gitlab邮箱配置 1,g ...
- 王立平--Eclipse中配置svn
1.-------------------------------------------------------------------------------------------------- ...
- unity free asset
Unity Test Tools https://www.assetstore.unity3d.com/#/content/13802 Sample Assets (beta) https://www ...