开发者

is my sql query prone to sql injection or other attacks

开发者 https://www.devze.com 2023-03-30 19:56 出处:网络
I was using some sql statements in views in a web app developed using playframework.I have the following java function

I was using some sql statements in views in a web app developed using playframework.I have the following java function

public static void search(String word){
   String trimword = word.trim();
   String pattern = "%"+trimword+"%";
   String query="select distinct item from Item item where item.name like :pattern";
   List<Item> items = Item.find(query).bind("pattern", pattern).fetch();
   ...
}

The 'word' is a string entere开发者_如何学Cd by user through a text input field in a web page form..Can the above be misused by an evil person to do nasty things to my db?I tried various combinations of user input like 'SomeItem or '1'='1' etc but nothing unexpected happened..But my knowledge of sql is minimal ..If anyone can point out any vulnerabilities in this and suggest improvements/safeguards ,it would be helpful


The .bind("pattern", pattern) prevents SQL Injection attacks. Thus your query is not prone to an SQL Injection attack.

Also, your code appending the % values is similar to a user entering the %. The bind() method will handle both the same way.


Your query is not prone to sql injection. As a general rule use bind variables on everything but table names and column names, which you can't use bind variables for.

So, vunerable

select distinct item from item where name like '&pattern'

impossible,

select distinct item from :item where name like = 'buggy'

okay

select distinct item from item where name like :pattern

EDIT @JNK, you'll have to assume that I've coded the oracle connections correctly as execute() runs to about 80 lines.

>>> import oracle
>>> db = oracle.OracleConnection('schema/pw@server')
>>> db.connect()
>>> SQL = """ select 1 from feed_logs where file_id = :file_id"""
>>> bind_vars = { 'file_id' : '1; delete from feed_logs'}
>>> db.DBCursor.execute(SQL, bind_vars=bind_vars)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
cx_Oracle.NotSupportedError: Variable_TypeByValue(): unhandled data type dict
>>>
0

精彩评论

暂无评论...
验证码 换一张
取 消