问题描述
我已经实现了一个由 HttpRequest 触发的 Azure 函数.名为 name
的参数作为 HttpRequest 的一部分传递.在 Integration
部分,我使用以下查询从 CosmosDB 检索数据(作为输入):
I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name
is passed as part of the HttpRequest. In Integration
section, I have used the following query to retrieve data from CosmosDB (as an input):
SELECT * FROM c.my_collection pm
WHERE
Contains(pm.first_name,{name})
如您所见,我发送的名称"没有对其进行消毒
.这里有任何 SQLInjection
问题吗?
As you see I am sending the 'name' without sanitizing
it. Is there any SQLInjection
concern here?
我搜索并注意到 parameterization
可用,但这不是我可以在这里做的任何事情.
I searched and noticed that parameterization
is available but that is not something I can do anything about here.
推荐答案
发生绑定时(来自 HTTP 触发器的数据被发送到 Cosmos DB 输入绑定),它通过 SQLParameterCollection
将处理清理.
When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection
that will handle sanitization.
请查看这篇文章:
参数化 SQL 提供对用户输入的稳健处理和转义,防止通过SQL 注入"意外暴露数据
这将涵盖通过 name
属性注入 SQL 的任何尝试.
This will cover any attempt to inject SQL through the name
property.
这篇关于Azure 函数中针对 CosmosDB 的 SQLInjection的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!