本文介绍了ColdFusion查询 - 注入保护的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我问这个问题有点sheep,因为我应该知道答案。

I ask this question with a bit of sheepishness because I should know the answer. Could someone be kind and explain if and how injection could occur in the following code?

<cfquery>
    select * from tableName
    where fieldName = '#value#'
</cfquery>

我特别关心注入尝试和其他恶意输入,而不是关于最佳做法或输入验证处理正常用户输入。我看到有人强烈主张使用CFQueryParam,但是不要以为我看到了点。如果已验证用户输入与数据库模式的一致性(例如,输入必须是数字数据库字段的数字),使用CFQueryParam是否还有其他问题? < cfqueryparam CFSQLType =CF_SQL_VARCHAR> 做什么'#value#'

I'm specifically curious about injection attempts and other malicious input, not about best practices or input validation for handling "normal" user input. I see folks strongly advocating use of CFQueryParam, but don't think I see the point. If user input has been validated for consistency to the database schema (e.g. so that input must be numeric for numerical database fields), is there anything else gained by using CFQueryParam? What does <cfqueryparam CFSQLType = "CF_SQL_VARCHAR"> do that '#value#' doesn't do?

推荐答案

是的,它会将'转换为

Yep, it'll convert ' to '' for you.

现在猜测你从这段代码中得到什么SQL:

Now guess what SQL you get from this code:

<cfset value = "\'; DROP TABLE tableName -- " />

<cfquery>
    select * from tableName
    where fieldName = '#value#'
</cfquery>


cfqueryparam标签工作;使用查询参数解决SQL注入。

The cfqueryparam tag works; using query params solves SQL injection.

任何自定义书面尝试验证,清理或转义(所有单独的东西,btw)最多只有

Any custom written attempts at validating, sanitizing, or escaping (all separate things, btw) are, at best, only as good as the developer's knowledge of the database system the code is running against.

如果开发人员不知道其他转义方法,或者在验证/转义和转义之间修改了值呈现为SQL,或者即使代码库已移植到另一个数据库系统,并且似乎很好,也可能会导致自定义代码崩溃。

If the developer is unaware of other escape methods, or if the values are modified between validation/escaping and them being rendered into SQL, or even if the codebase is ported to another database system and seems to be fine, there's a chance of custom code breaking down.

当谈到安全性,你不想要这样的机会。所以使用cfqueryparam。

When it comes to security, you don't want chances like that. So use cfqueryparam.

这篇关于ColdFusion查询 - 注入保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-24 14:02