Are there any differences between SQL Server and MySQL when it comes to preventing SQL injection?

后端 未结 9 2463
北荒
北荒 2021-02-13 17:21

I am used to developing in PHP/MySQL and have no experience developing with SQL Server. I\'ve skimmed over the PHP MSSQL documentation and it looks similar to MySQLi in some of

9条回答
  •  不知归路
    2021-02-13 17:49

    Use parametrized queries with ADODB or PDO. These libraries know the best escape function to use based on the database it is connected to. They allow you to switch between mysql and ms-sql without introducing vulnerabilities.

    SQL Injection for MySQL and MS-SQL are radically different.

    SQL Injection for MS-SQL is much more serious. For one you can stack queries:

    select * from `table` where id='1' ; drop table `table`;-- '
    

    Escaping is totally different, addslashses() does not stop sql injection under MS-SQL. It uses a double quote system so this is an escaped query:

    select * from table where test='trying to inject '' didn''t work!'
    

    A hacker can also access cmd.exe using xp_cmdshell from a sql query. Make sure this privilege has been removed!

    Under MySQL you can't stack, so its common to use union select (only works when injection into a select, otherwise you can use a sub-select, but you can't stack a drop/update/delete/insert on top of a select):

    select somthing from table where 1 union select password from mysql.user
    

    Escaping is done with back slashes, addslashes() works most of the time, but mysql_real_escape_string() is a lot better.

    select * from table where test='trying to inject \' didn\'t work!'
    

    Also you want to disable file_priv otherwise a hacker might be able to drop a backdoor:

    select test from table where name='jon' union select "" into outfile "/var/www/backdoor.php"-- '
    

提交回复
热议问题