问题描述
我为客户开发了一个网站,他们将在网上发布商品图片。网址为 www.domiainname.com/item-details.cfm?sku=125
。有人尝试浏览到 www.domiainname.com/item-details.cfm?sku=125%20and%203=3
,该操作会产生错误并通知我。
I developed a web site for a client where they will post images of their merchandise online. The url is www.domiainname.com/item-details.cfm?sku=125
. Someone tried browsing to www.domiainname.com/item-details.cfm?sku=125%20and%203=3
which produced and error in which I'm notified.
我还收到以下错误报告:
I've also received error reports of:
item-details.cfm?sku=1291+or+1=@@version--
item-details.cfm?sku=1291'+or+1=@@version
item-details.cfm?sku=1291+or+1=@@version
最后三个例子肯定是有人试图获取
The last three examples are definitely of someone trying to get into the system, right?
如果我们将其转换为存储过程,会减少或消除插入攻击的风险吗?
If we converted this to be stored procedures, would that reduce or eliminate the risk of insertion attacks?
推荐答案
是的,看来有人在恶意。
Yes, it appears that someone is being malicious.
使用将阻止SQL注入攻击。如有疑问(即CF),请问Ben:
Using cfqueryparam
will prevent SQL-injection attacks. When in doubt (and it's CF), ask Ben:
示例:
<cfquery ...>
SELECT *
FROM Products
WHERE SKU=<cfqueryparam value="#URL.SKU#" cfsqltype="CF_SQL_INTEGER">
</cfquery>
这篇关于这是SQL注入攻击的示例吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!