问题
I have this function in plpgsql:
CREATE OR REPLACE function login_v(em varchar, passwd varchar)
RETURNS users AS $$
DECLARE
cu users;
BEGIN
SELECT * into cu
FROM users where email = em
AND encrypted_password = crypt(passwd, encrypted_password);
return cu;
END
$$ LANGUAGE plpgsql;
When I provide an input like this: select login_v('test@test.com'' OR 1=1;--','la la la');, I think my method should return the user with email test@test.com. What Am I doing wrong?
Performing SQL injection is necessary here to demonstrate the concept for an exercise, but I am an SQL injection and plpgsql boob. :|
回答1:
SQL queries in PL/pgSQL are planned like prepared statements. As long as you only pass values like you do, SQL injection is generally impossible. Details:
- SQL injection in Postgres functions vs prepared queries
Use dynamic SQL with EXECUTE and without proper parameter handling to actually demonstrate SQL injection.
Like (this is how not to do it!):
CREATE OR REPLACE FUNCTION login_v(em varchar, passwd varchar)
RETURNS SETOF users AS
$func$
BEGIN
RETURN QUERY EXECUTE
'SELECT *
FROM users
WHERE email = $1
AND encrypted_password = crypt(''' || passwd || ''', encrypted_password)'
USING em;
END
$func$ LANGUAGE plpgsql;
The first variable em is properly passed with the USING clause as value and thus cannot be abused for SQL injection.
But the second variable passwd is improperly concatenated without properly escaping. Thus, user input can be converted to SQL code. SQL injection.
Never use this! Except when demonstrating how not to do it.
Similar mischief is possible when concatenating SQL strings in the client improperly.
来源:https://stackoverflow.com/questions/41686393/demonstrate-sql-injection-in-pl-pgsql