发表新帖
发表新帖

Is it safe to not parameterize an SQL query when the parameter is not a string?

前端 未结
关注
11 826
一生所求
一生所求 2020-12-23 15:57

In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that\'s one of the oldest tricks in the book. But when can

相关标签:
11条回答
  • 终归单人心
    2020-12-23 16:10

    To add some info to Maciek answer:

    It is easy to alter the culture info of a .NET third party app by calling the main-function of the assembly by reflection:

    using System;
using System.Globalization;
using System.Reflection;
using System.Threading;

namespace ConsoleApplication2
{
  class Program
  {
    static void Main(string[] args)
    {
      Assembly asm = Assembly.LoadFile(@"C:\BobbysApp.exe");
      MethodInfo mi = asm.GetType("Test").GetMethod("Main");
      mi.Invoke(null, null);
      Console.ReadLine();
    }

    static Program()
    {
      InstallBobbyTablesCulture();
    }

    static void InstallBobbyTablesCulture()
    {
      CultureInfo bobby = (CultureInfo)CultureInfo.InvariantCulture.Clone();
      bobby.DateTimeFormat.ShortDatePattern = @"yyyy-MM-dd'' OR ' '=''";
      bobby.DateTimeFormat.LongTimePattern = "";
      bobby.NumberFormat.NegativeSign = "1 OR 1=1 OR 1=";
      Thread.CurrentThread.CurrentCulture = bobby;
    }
  }
}

    This only works if the Main function of BobbysApp is public. If Main is not public, there might be other public functions you might call.

    0 讨论(0)
  • 日久生厌
    2020-12-23 16:12

    In some cases, it IS possible to perform SQL injection attack with non-parametrized (concatenated) variables other than string values - see this article by Jon: http://codeblog.jonskeet.uk/2014/08/08/the-bobbytables-culture/ .

    Thing is that when ToString is called, some custom culture provider can transform a non-string parameter into its string representation which injects some SQL into the query.

    0 讨论(0)
  • 庸人自扰
    2020-12-23 16:13

    There are actually two questions in one. And question from the title has very little to do with concerns expressed by the OP in the comments afterwards.

    Although I realize that for the OP it is their particular case that matters, for the readers coming from Google, it is important to answer to the more general question, that can be phrased as "is concatenation as safe as prepared statements if I made sure that every literal I am concatenating is safe?". So, I would like to concentrate on this latter one. And the answer is

    Definitely NO.

    The explanation is not that direct as most readers would like, but I'll try my best.

    I have been pondering on the matter for a while, resulting in the article (though based on the PHP environment) where I tried to sum everything up. It occurred to me that the question of protection from SQL injection is often eludes toward some related but narrower topics, like string escaping, type casting and such. Although some of the measures can be considered safe when taken by themselves, there is no system, nor a simple rule to follow. Which makes it very slippery ground, putting too much on the developer's attention and experience.

    The question of SQL injection cannot be simplified to a matter of some particular syntax issue. It is wider than average developer used to think. It's a methodological question as well. It is not only "Which particular formatting we have to apply", but "How it have to be done" as well.

    (From this point of view, an article from Jon Skeet cited in the other answer is doing rather bad than good, as it is again nitpicking on some edge case, concentrating on a particular syntax issue and failing to address the problem at whole.)

    When you're trying to address the question of protection not as whole but as a set of different syntax issues, you're facing multitude of problems.

    • the list of possible formatting choices is really huge. Means one can easily overlook some. Or confuse them (by using string escaping for identifier for example).
    • Concatenation means that all protection measures have to be done by the programmer, not program. This issue alone leads to several consequences:
      • such a formatting is manual. Manual means extremely error prone. One could simply forget to apply.
      • moreover, there is a temptation to move formatting procedures into some centralized function, messing things even more, and spoiling data that is not going to database.
    • when more than one developers involved, problems multiply by a factor of ten.
    • when concatenation is used, one cannot tell a potentially dangerous query at glance: they all potentially dangerous!

    Unlike that mess, prepared statements are indeed The Holy Grail:

    • it can be expressed in the form of one simple rule that is easy to follow.
    • it is essentially undetacheable measure, means the developer cannot interfere, and, willingly or unwillingly, spoil the process.
    • protection from injection is really only a side effect of the prepared statements, which real purpose is to produce syntactically correct statement. And a syntactically correct statement is 100% injection proof. Yet we need our syntax to be correct despite of any injection possibility.
    • if used all the way around, it protects the application regardless of the developer's experience. Say, there is a thing called second order injection. And a very strong delusion that reads "in order to protect, Escape All User Supplied Input". Combined together, they lead to injection, if a developer takes the liberty to decide, what needs to be protected and what not.

    (Thinking further, I discovered that current set of placeholders is not enough for the real life needs and have to be extended, both for the complex data structures, like arrays, and even SQL keywords or identifiers, which have to be sometimes added to the query dynamically too, but a developer is left unarmed for such a case, and forced to fall back to string concatenation but that's a matter of another question).

    Interestingly, this question's controversy is provoked by the very controversial nature of Stack Overflow. The site's idea is to make use of particular questions from users who ask directly to achieve the goal of having a database of general purpose answers suitable for users who come from search. The idea is not bad per se, but it fails in a situation like this: when a user asks a very narrow question, particularly to get an argument in a dispute with a colleague (or to decide if it worth to refactor the code). While most of experienced participants are trying to write an answer, keeping in mind the mission of Stack Overflow at whole, making their answer good for as many readers as possible, not the OP only.

    0 讨论(0)
  • 借酒劲吻你
    2020-12-23 16:14

    This is not safe even for non-string types. Always use parameters. Period.

    Consider following code example:

    var utcNow = DateTime.UtcNow;
var sqlCommand = new SqlCommand("SELECT * FROM People WHERE created_on <= '" + utcNow + "'");

    At the first glance code looks safe, but everything changes if you make some changes in Windows Regional Settings and add injection in short date format:

    Now resulting command text looks like this:

    SELECT * FROM People WHERE created_on <= '26.09.2015' OR '1'<>' 21:21:43'

    The same can be done for int type as user can define custom negative sign which can be easily changed into SQL injection.

    One could argue that invariant culture should be used instead of current culture, but I have seen string concatenations like this so many times and it is quite easy to miss when concatenating strings with objects using +.

    0 讨论(0)
  • 广开言路
    2020-12-23 16:18

    In my opinion if you can guarantee that the parameter you working with will never contain a string it is safe but I would not do it in any case. Also, you will see a slight performance drop due to the fact that you are performing concatenation. The question I would ask you is why don't you want to use parameters?

    0 讨论(0)
  • 执笔经年
    2020-12-23 16:19

    No you can get an SQL injection attack that way. I have written an old article in Turkish which shows how here. Article example in PHP and MySQL but concept works same in C# and SQL Server.

    Basically you attack following way. Lets consider you have a page which shows information according to integer id value. You do not parametrized this in value, like below.

    http://localhost/sqlEnjeksiyon//instructors.aspx?id=24

    Okay, I assume you are using MySQL and I attack following way. 

    http://localhost/sqlEnjeksiyon//instructors.aspx?id=ASCII((SELECT%20DATABASE()))

    Note that here injected value is not string. We are changing char value to int using ASCII function. You can accomplish same thing in SQL Server using "CAST(YourVarcharCol AS INT)".

    After that I use length and substring functions to find about your database name.

    http://localhost/sqlEnjeksiyon//instructors.aspx?id=LEN((SELECT%20DATABASE()))

http://localhost/sqlEnjeksiyon//instructors.aspx?id=ASCII(SUBSTR(SELECT%20DATABASE(),1,1))

    Then using database name, you start to get table names in database. 

    http://localhost/sqlEnjeksiyon//instructors.aspx?id=ASCII(SUBSTR((SELECT table_name FROM INFORMATION_SCHEMA.TABLES LIMIT 1),1,1))

    Of course you have to automate this process, since you only get ONE character per query. But you can easily automate it. My article shows one example in watir. Using only one page and not parameterized ID value. I can learn every table name in your database. After that I can look for important tables. It will take time but it is doable.

    0 讨论(0)
 看不清?
提交回复
热议问题