Is SQL injection possible even on a prepared statement

人盡茶涼 提交于 2019-12-02 10:43:05

问题


I read many articles on Stack Overflow regarding how SQL injection can be prevented by using prepared statements

But is there any way to do SQL injection even on prepared statements or is it 100% safe?

Below is my java code

 String query = "SELECT * FROM Users WHERE username=? and password=?";

 ps=con.prepareStatement(query);  

 ps.setString(1,username);
 ps.setString(2,password);

 rs = ps.executeQuery();

 status = rs.next();

 if(status==true){
.....
}else{
....
}

I tried some sql injection queries like

Some Inputs:

SELECT * FROM users WHERE username = 'xxx@xxx.xxx' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');

SELECT * FROM users WHERE email = 'xxx@xxx.xxx' AND password = md5('xxx') OR 1 = 1 -- ]');

I have also tried with some more queries but as the (single quote)' is escaped(/') none of the SQL injection queries seem to work.

Kindly suggest me if there are any SQL injection queries/techniques which can be applied to do SQL injection in the above code.


回答1:


This query : String query = "SELECT * FROM Users WHERE username=? and password=?"; is safe, because whatever the parameters can be, it will still be executed as a simple select. At most, it will end browsing a whole table.

But prepared statement is just a tool and (bad) programmers may still misuse it.

Let's look at the following query

String query = "SELECT id, " + paramName + " FROM Users WHERE username=? and password=?";

where paramName would be a parameter name. It is only as safe as paramName is, because you use directly a variable to build the string that will be parsed by the database engine. Here PreparedStatement cannot help because JDBC does not allow to parameterize a column name.

So the rule here will be :

  • avoid such a construct if you can !
  • if you really need it, double check (regexes, list of allowed strings, etc.) that paramName cannot be anything other than what you expect because that control is the only prevention against SQL injection


来源:https://stackoverflow.com/questions/30168659/is-sql-injection-possible-even-on-a-prepared-statement

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!