发表新帖
发表新帖

Proving SQL Injection

后端 未结
关注
5 1081
旧巷少年郎
旧巷少年郎 2021-01-01 01:24

I\'m trying to simply prove here that this simple function isn\'t good enough to prevent every sql injection in the world:

Function CleanForSQL(ByVal input A
5条回答
  • 长情又很酷
    长情又很酷 (楼主)
    2021-01-01 01:56

    The Chr(8) is part of the quoted literal string, as is the update statement, so SQL Server is not going to interpret it as a function call. With this example, Text1 will be set to the literal value:

    'Chr(8); update tblMaint SET Value1 = 2 WHERE ValueID = 2--

    (yes, including that single quote)

    So, with this example, your code is secure. Most hang-wringing over SQL injection is about accidentally failing to validate and quote values, there is nothing inherently unsafe in a properly-quoted SQL statement.

    0 讨论(0)
 看不清?
提交回复
热议问题