问题
I'm creating a sidebarsearch(by clicking options), and picking the variables clicked to create sql query.
More specifically:
1. user selects options in sidebar.
2. I create str(as url to be called) based on those selections adding params as 'param1=value&'...
3. ajax call to php controller->model->query dababase based on params via $_GET.
I use the prepared statements in the end but in theory the attacker can make up their own url. To avoid this i pre specify the allowed values($keysArr) and if $_GET vars are not there the script dies. Also simply adding int() to expected numeric values, so php will trow and error if it's not int.
$keysArr = ['x', 'y', 'z'];
foreach ($ArrfromGET as $key => $value) {
if (!in_array($key, $keysArr)) {
die("don't attack me");
}
}
Am i doing this correctly ?
The search is based on values generated dynamically so i'm not sure what to do about it. The code is based on(https://www.w3schools.com/js/js_ajax_database.asp);
回答1:
You can try this.
Note I'm just showing how to secured dynamic query in SQL
DECLARE @ParameterDefinition NVARCHAR(MAX)
SET @ParameterDefinition = '
@P_Name NVARCHAR(50)
, @P_Address NVARCHAR(50)';
DECLARE @SQL NVARCHAR(MAX);
DECLARE @Name NVARCHAR(50) = '' //set here value
DECLARE @Address NVARCHAR(50) = '' //set here value
SET SQL = 'SELECT * FROM USER WHERE Name = @P_Name OR Address = @P_Address'
EXECUTE sp_executesql @SQL, @ParameterDefinition,
@P_Name = @Name,
@P_Address = @Address
来源:https://stackoverflow.com/questions/58543198/security-with-dynamically-generated-sql-query