Is it possible to do sql injection with stored procedures?

前端 未结 1 1032
面向向阳花
面向向阳花 2021-01-27 13:39

I saw some similar question, none about mysql...
Is there any way to do a sql injection into a SP? How do I protect from this on the SP level?
In other words, can the Q

相关标签:
1条回答
  • 2021-01-27 13:51

    SQL injection is, basically, adding extra code to the query. The attack itself occurs because the server parses the input data as SQL code and executes it accordingly. You cannot protect from it on the SP level, because when the execution gets to the procedure, the attack has already succeeded.

    So as long as you construct your queries as text, SQL injection is possible regardless of what the text of the query is. And if you don't, or if you properly sanitize your input, then again, SQL injection shouldn't be a problem, whether it's SELECT or something else.

    0 讨论(0)
提交回复
热议问题