发表新帖
发表新帖

SQL Injection in Java and MySQL when using multiple queries

后端 未结
关注
3 502
野性不改
野性不改 2020-12-20 03:44

I\'ve got a web application with an SQL injection as part of an INSERT statement. It looks like this:

INSERT INTO table1 VALUES (\'str1\', 1, \'INJECTION HER
相关标签:
3条回答
  • 小鲜肉
    2020-12-20 04:06

    Of course, if you change your database/driver combination from your current implementation to something supporting multiple requests, then you'll activate a dormant security hole that (no doubt) people will have forgotten about!

    Ignoring the nefarious, malicious scenarios, the above will cause you problems with inserting regular data, including quote characters etc. i.e. the above simply won't work for particular sets of data (unless cleansed/esaped etc.). I would correct it simply for functionality purposes.

    You should have a look at PreparedStatement, and the data insertion methods for this (setString()) etc.

    e.g.:

       PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
                                     SET SALARY = ? WHERE ID = ?");
   pstmt.setBigDecimal(1, 153833.00)
   pstmt.setString(2, "Insert what you like here")

    The setString() method will support any string without escaping/injection issues.

    0 讨论(0)
  • 深忆病人
    2020-12-20 04:15

    SQL injection doesn't have to delete something from the database. The attacker might want to retrieve some valuable data that he's not supposed to have access to.

    For example, consider the following post-injection form (I'm not familiar with MySQL syntax, but something like this should be possible in general - add casts as needed):

    INSERT INTO table1 VALUES ('str1', 1,
-- injected stuff --
'' || (SELECT valuable_info FROM admin_only_table WHERE id=1) || ''
-- end injected stuff --
))

    Now table1 - which can be, say, where some publicly accessible info is retrieved from, so anyone can see the values - contains a potentially sensitive value from a presumably secure table admin_only_table.

    Of course, this assumes that your server doesn't do any tricks such as user impersonation or otherwise limits permissions on SQL level for the queries, but rather performs them all with full privileges.

    0 讨论(0)
  • 夕颜
    2020-12-20 04:15

    As explained in this post, there are more bad things that can happen to your application than the classic table DROP:

    • call a sleep function so that all your database connections will be busy, therefore making your application unavailable
    • extracting sensitive data from the DB
    • bypassing the user authentication

    Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose.

    0 讨论(0)
 看不清?
提交回复
热议问题