问题
I've done some searching around but I have a specific question on SQL Injection and hope I can get some input as I believe I may be getting the wrong end of the stick to do with field data sanitising etc :-
I have a java program calling a stored procedure on an iSeries. The stored procedure has CL / RPG code behind the scenes. The stored procedure is called by way of parameters with the data coming from a web page. For example the call would look like the following:-
call library.prog('field1Value', 'field2Value')
Do I need to worry about any characters entered via the website into 'field1Value' etc or, because it is a stored procedure call, does the danger of sql injection not exist? Does it depend on whether the RPG program behind the scenes uses 'field1Value' in its own SQL statement as part of that processing?
The field lengths passed into the proecdure are fixed length so we cannot, for example, convert 'dodgy' characters into their html equivalent.
Appreciate any (I'm anticipating this might be a stupid question!) feedback (not necessarily iSeries specific) on this.
回答1:
unless you are using those parameters to construct dynamic sql in the proc itself you should be fine
also you cannot clean it by checking the parameters
see here: SQL teaser..try protecting this
below is sql server syntax
I can call a proc like this
prDropDeadFred ' declare @d varchar(100) select @d = reverse(''elbaTdaB,elbatecin elbat pord'') exec (@d)'
or like this
prDropDeadFred ' declare @d varchar(100) select @d = convert(varchar(100),0x64726F70207461626C65204E6963655461626C652C4261645461626C65) exec (@d)'
or 5000 other ways that you won't know about
回答2:
You might NOT be safe, if the called program uses the input parameters to construct dynamic SQL, passes the information to another program that does, or stores it in a database table field which is later used for dynamic SQL in some other program.
回答3:
If you're using the JDBC CallableStatement, then you're safe. CallableStatement is just a subtype of PreparedStatement, and SQL injection attacks should not be possible. The only way I can think of for this not to be true would be if your stored procedure was executing dynamic SQL.
来源:https://stackoverflow.com/questions/1119656/sql-injection-no-danger-on-stored-procedure-call-on-iseries