阅读本文:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
在动态sql部分,它有各种各样的,例如:
So, if you had an existing Dynamic query being generated in your code that was going to Oracle that looked like this:
String query = "SELECT user_id FROM user_data WHERE user_name = '" + req.getParameter("userID")
+ "' and user_password = '" + req.getParameter("pwd") +"'";
try {
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query );
}
You would rewrite the first line to look like this:
Codec ORACLE_CODEC = new OracleCodec();
String query = "SELECT user_id FROM user_data WHERE user_name = '" +
ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("userID")) + "' and user_password = '"
+ ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("pwd")) +"'";
And it would now be safe from SQL injection, regardless of the input supplied.
但后者说:
Oracle 10g escaping
An alternative for Oracle 10g and later is to place { and } around the string to escape the entire string. However, you have to be careful that there isn't a } character already in the string. You must search for these and if there is one, then you must replace it with }}. Otherwise that character will end the escaping early, and may introduce a vulnerability.
我没有看到一个例子,但这是否意味着我可以使用大括号而不是Codec ORACLE_CODEC ....等等?有人有例子吗?感谢。
答案 0 :(得分:3)
不,这不是注射预防技术。 100%确定您不易受到注入的唯一方法是使用预准备语句并为需要插入查询的所有用户输入绑定参数。任何比这更小的东西,你几乎只是掷骰子。