类似于这样一个存储过程: create procedure sp_1 @name varchar(50) as --exec('select * from t where d='''+@name+'''') print 'select * from t where d='''+@name+'''' go你能看出它的漏洞吗?
若看不出来,你这样调用试试: declare @s varchar(50) set @s='testtest'' delete from t where ''''='''--这里delete就是攻击 exec sp_1 @s
这样处理防攻击: create procedure sp_1 @name varchar(50) as set @s=replace(@name,'''','''''')--引号处理 --这样处理后,传近来的参数就完全作为字符串处理了(即使里面包含了update、delete) --exec('select * from t where d='''+@name+'''') print 'select * from t where d='''+@name+'''' go
我不知道Request函数是什么功能. 但如果用户把单引号换成%27呢? http://YourIP/???.asp?name=man2004(梦鱼)%27;exec%20ms_foreachtable(%27truncate%20table%20?)--前台替换肯定是不安全的! "可以对一切的SQL注入Say NO!"?????????????????????? 后台替换,即然用了存储过程了,直接参数传递了,不必替换了. create proceture proctest(@name varchar(100)) as select * from table where name=@name
create procedure sp_1 @name varchar(50)
as
--exec('select * from t where d='''+@name+'''')
print 'select * from t where d='''+@name+''''
go你能看出它的漏洞吗?
declare @s varchar(50)
set @s='testtest'' delete from t where ''''='''--这里delete就是攻击
exec sp_1 @s
create procedure sp_1 @name varchar(50)
as
set @s=replace(@name,'''','''''')--引号处理
--这样处理后,传近来的参数就完全作为字符串处理了(即使里面包含了update、delete)
--exec('select * from t where d='''+@name+'''')
print 'select * from t where d='''+@name+''''
go
但如果用户把单引号换成%27呢?
http://YourIP/???.asp?name=man2004(梦鱼)%27;exec%20ms_foreachtable(%27truncate%20table%20?)--前台替换肯定是不安全的!
"可以对一切的SQL注入Say NO!"?????????????????????? 后台替换,即然用了存储过程了,直接参数传递了,不必替换了.
create proceture proctest(@name varchar(100))
as
select * from table where name=@name