6,129
社区成员
发帖
与我相关
我的任务
分享A simple example of a SQL injection
HttpServletRequest request = ...;
String userName = request.getParameter("name");
Connection con = ...
String query = "SELECT * FROM Users " +
" WHERE name = ’" + userName + "’";
con.execute(query);
String userName = request.getParameter("name");
Connection con = ...
String query = "SELECT * FROM Users " +
" WHERE name = ’" + userName + "’";
con.execute(query);
...全文
请发表友善的回复…
发表回复
wowcynthia 2009-10-24
- 打赏
- 举报
In the code below, string param is
tainted because it is returned from a source method
getParameter. So is buf1, because it is derived from
param in the call to append on line 6. Finally, string
query is passed to sink method executeQuery.
1 String param = req.getParameter("user");
2
3 StringBuffer buf1;
4 StringBuffer buf2;
5 ...
6 buf1.append(param);
7 String query = buf2.toString();
8 con.executeQuery(query);
Unless we know that variables buf1 and buf2 may never
refer to the same object, we would have to conservatively
assume that they may. Since buf1 is tainted, variable
query may also refer to a tainted object. Thus a conservative
tool that lacks additional information about pointers
will flag the call to executeQuery on line 8 as potentially
unsafe.
tainted because it is returned from a source method
getParameter. So is buf1, because it is derived from
param in the call to append on line 6. Finally, string
query is passed to sink method executeQuery.
1 String param = req.getParameter("user");
2
3 StringBuffer buf1;
4 StringBuffer buf2;
5 ...
6 buf1.append(param);
7 String query = buf2.toString();
8 con.executeQuery(query);
Unless we know that variables buf1 and buf2 may never
refer to the same object, we would have to conservatively
assume that they may. Since buf1 is tainted, variable
query may also refer to a tainted object. Thus a conservative
tool that lacks additional information about pointers
will flag the call to executeQuery on line 8 as potentially
unsafe.
wowcynthia 2009-10-24
- 打赏
- 举报
why you take all down n heading to c++?
lihan6415151528 2009-10-23
- 打赏
- 举报
不要这样写,最容易被攻击。
lihan6415151528 2009-10-23
- 打赏
- 举报
java ,用 PreparedStatement 这个对象
wowcynthia 2009-10-23
- 打赏
- 举报
This code snippet obtains a user name (userName) by invoking
request.getParameter("name") and uses it to
construct a query to be passed to a database for execution
(con.execute(query)). This seemingly innocent piece
of code may allow an attacker to gain access to unauthorized
information: if an attacker has full control of string
userName obtained from an HTTP request, he can for
example set it to ’OR 1 = 1;−−. Two dashes are used
to indicate comments in the Oracle dialect of SQL, so the
WHERE clause of the query effectively becomes the tautology
name = ’’ OR 1 = 1. This allows the attacker
to circumvent the name check and get access to all user
records in the database
现在这个漏洞还有吗?
request.getParameter("name") and uses it to
construct a query to be passed to a database for execution
(con.execute(query)). This seemingly innocent piece
of code may allow an attacker to gain access to unauthorized
information: if an attacker has full control of string
userName obtained from an HTTP request, he can for
example set it to ’OR 1 = 1;−−. Two dashes are used
to indicate comments in the Oracle dialect of SQL, so the
WHERE clause of the query effectively becomes the tautology
name = ’’ OR 1 = 1. This allows the attacker
to circumvent the name check and get access to all user
records in the database
现在这个漏洞还有吗?
rucypli 2009-10-22
- 打赏
- 举报
exec store proc
--小F-- 2009-10-22
- 打赏
- 举报
???
