我是一名为内部用户编写的桌面开发人员,因此我并不担心恶意黑客,但我想知道在更新将在服务器上执行sql的值时是否有任何东西可以输入.
业务定义了他们的内容模式,我有一个CRUD应用程序,当模式更改时不必更改它们,因为验证详细信息是由表驱动的,而更新是使用动态sql.我必须在他们的数据条目中支持单引号,所以当他们输入它们时,我会在服务器上执行sql之前将它们加倍.然而,从我读过的内容来看,这不足以阻止注射.
所以我的问题是,他们可以在自由格式文本字段中输入哪些文本可以更改服务器上的内容而不是存储为字面值?
基本上,我在运行时构建一个遵循模式的sql语句:
update table set field = value其中pkField = pkVal
使用这个VB.NET代码:
- Friend Function updateVal(ByVal newVal As String) As Integer
- Dim params As Collection
- Dim sql As String
- Dim ret As Integer
- sql = _updatesql(newVal)
- params = New Collection
- params.Add(sqlClientAccess.instance.sqlParam("@sql",DbType.String,sql))
- Try
- ret = sqlClientAccess.instance.execSP("usp_execsql",params)
- Catch ex As Exception
- Throw New Exception(ex.Message)
- End Try
- Return ret
- End Function
- Private Function _updatesql(ByVal newVal As String) As String
- Dim sql As String
- Dim useDelimiter As Boolean = (_formatType = DisplaySet.formatTypes.text)
- Dim position As Integer = InStr(newVal,"'")
- Do Until position = 0
- newVal = Left(newVal,position) + Mid(newVal,position) ' double embedded single quotes '
- position = InStr(position + 2,newVal,"'")
- Loop
- If _formatType = DisplaySet.formatTypes.memo Then
- sql = "declare @ptrval binary(16)"
- sql = sql & " select @ptrval = textptr(" & _fieldName & ")"
- sql = sql & " from " & _updateTableName & _PKWhereClauses
- sql = sql & " updatetext " & _updateTableName & "." & _fieldName & " @ptrval 0 null '" & newVal & "'"
- Else
- sql = "Update " & _updateTableName & " set " & _fieldName & " = "
- If useDelimiter Then
- sql = sql & "'"
- End If
- sql = sql & newVal
- If useDelimiter Then
- sql = sql & "'"
- End If
- sql = sql & _PKWhereClauses
- End If
- Return sql
- End Function
当我将文本字段更新为值时
Redmond’; drop table OrdersTable–
它产生:
- Update caseFile set notes = 'Redmond''; drop table OrdersTable--' where guardianshipID = '001168-3'
并将值更新为他们输入的文字值.
他们还能输入什么来注入sql?
同样,我并不担心有人想在他们的工作中破解服务器,但想知道如果他们不小心粘贴来自其他地方的文本并破坏某些东西.
谢谢.