来源:自学PHP网 时间:2015-04-17 13:02 作者: 阅读:次
[导读] Preventing SQL InjectionThe following functions and methods provide a way for SQL to be submitted to the database; they are, therefore, subject to SQL injection vulnerabil......
Preventing SQL Injection
The following functions and methods provide a way for SQL to be submitted to the database; they are, therefore, subject to SQL injection vulnerabilities: SQLExec function CreateSQL function Rowset class Select method Rowset class SelectNew method Rowset class Fill method Rowset class FillAppend method Look at the following PeopleCode as an example: rem Retrieve user input from the name field; &UserInput = GetField(Field.NAME).Value; SQLExec("SELECT NAME, PHONE FROM PS_INFO WHERE NAME='" | &UserInput | "'", &Name, &Phone); www.2cto.com The code is meant to enable the user to type in a name and get the person's phone number. In the example, the developer expects that the user will input data such as Smith, in which case the resulting SQL would look like this: SELECT NAME, PHONE FROM PS_INFO WHERE NAME='Smith' However, if the user specified "Smith' OR AGE > 55 --", the resulting SQL would look like this: SELECT NAME, PHONE FROM PS_INFO WHERE NAME='Smith' OR AGE > 55 --' Note the use of the comment operator (--) to ignore the trailing single quotation mark placed by the developer's code. This would allow a devious user to find everyone older than 55. Use the following approaches to avoid SQL injection vulnerabilities: Where possible, avoid using string-building techniques to generate SQL. Note. String-building techniques cannot always be avoided. String-building does not pose a threat unless unvalidated user input is concatenated to SQL. Use bind variables where possible rather that string concatenation. The following example is vulnerable: SQLExec("SELECT NAME, PHONE FROM PS_INFO WHERE NAME='" | &UserInput | "'", &Name, &Phone); Use the Quote PeopleCode function on the user input before concatenating it to SQL. This pairs the quotation marks in the user input, effectively negating any SQL injection attack. The following example is vulnerable: SQLExec("SELECT NAME, PHONE FROM PS_INFO WHERE NAME='" | &UserInput | "'", &Name, &Phone); This example is not vulnerable: SQLExec("SELECT NAME, PHONE FROM PS_INFO WHERE NAME='" | Quote(&UserInput) | "'", &Name, &Phone); Specify whether SQL errors appear to the user with the Suppress SQL Error setting in the PSTOOLS section of the application server configuration file. Normally, the SQL in error appears to the user in a number of messages. If you consider this a security issue, add the following line to your application server configuration file: Suppress SQL Error=1 When this line is set, SQL errors do not display details; instead, they refer the user to consult the system log. The detail that was in the SQL message is written to the log file. |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com