I was using some sql statements in views in a web app developed using playframework.I have the following java function
public static void search(String word){
String trimword = word.trim();
String pattern = "%"+trimword+"%";
String query="select distinct item from Item item where item.name like :pattern";
List<Item> items = Item.find(query).bind("pattern", pattern).fetch();
...
}
The 'word' is a string entere开发者_如何学Cd by user through a text input field in a web page form..Can the above be misused by an evil person to do nasty things to my db?I tried various combinations of user input like 'SomeItem or '1'='1'
etc but nothing unexpected happened..But my knowledge of sql is minimal ..If anyone can point out any vulnerabilities in this and suggest improvements/safeguards ,it would be helpful
The .bind("pattern", pattern)
prevents SQL Injection attacks. Thus your query is not prone to an SQL Injection attack.
Also, your code appending the %
values is similar to a user entering the %
. The bind()
method will handle both the same way.
Your query is not prone to sql injection. As a general rule use bind variables on everything but table names and column names, which you can't use bind variables for.
So, vunerable
select distinct item from item where name like '&pattern'
impossible,
select distinct item from :item where name like = 'buggy'
okay
select distinct item from item where name like :pattern
EDIT @JNK, you'll have to assume that I've coded the oracle connections correctly as execute() runs to about 80 lines.
>>> import oracle
>>> db = oracle.OracleConnection('schema/pw@server')
>>> db.connect()
>>> SQL = """ select 1 from feed_logs where file_id = :file_id"""
>>> bind_vars = { 'file_id' : '1; delete from feed_logs'}
>>> db.DBCursor.execute(SQL, bind_vars=bind_vars)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
cx_Oracle.NotSupportedError: Variable_TypeByValue(): unhandled data type dict
>>>
精彩评论