Are you sure SQL injection is dead?-SQL-php.cn

Home

Database

SQL

Are you sure SQL injection is dead?

coldplay.xixi

Mar 15, 2021 am 09:46 AM

sql injection

Are you sure SQL injection is dead?

For a long time, I thought that the most common security problem in back-end development was SQL injection. Through the magical SQL writing method where 1=1, you can easily attack a problematic system, and eventually evolve into the existence of an artifact like sqlmap.

Are you sure SQL injection is dead?

The later fastjson refreshed my understanding. This framework can also be regarded as a promotion of the concept of Internet security. Even bosses who don't understand technology know that fastjson is extremely fast, and as a programmer, the safety concept has been improved.

Recommended (free):

sql##Why do you have a soft spot for sql injection? Because there are too many places where developers deal with SQL. Some students who specialize in report development even write more lines of SQL than lines of code!

The issue is. A long time ago, as early as 10 years ago, some people were shouting that SQL injection was dead, but to this day, there are still a large number of SQL injection tutorials and SQL injection cases.

SQL injection is the king of vulnerabilities, this is not a boast.

Of course, in this regard, PHP has made the greatest contribution, and Java is at a disadvantage.

The reason why SQL injection is popular is that developers are too confident in themselves, or the tools they use are too primitive and have not been filtered by the framework layer. If you use MyBatis or JPA in the Java world, the possibility of SQL injection becomes very low. Now PHP also has a framework similar to

thinkphp

, which means that there are fewer and fewer SQL injection vulnerabilities.

But that doesn’t mean there isn’t, it just means the threshold has been raised. Let's take MyBatis as an example to see if SQL injection can still occur.

SQL injection still exists in MyBatis

Students who use Mybatis, the first concepts they come into contact with are

# and

$ difference. These two symbols are very similar to the magic symbols in Shell, but fortunately there are only two situations.

# represents the use of sql pre-compilation, which is safe and reliable
represents The splicing method is used, and there is a risk of SQL injection
For example, the following xml configuration is an absolutely safe way of writing. Because the entire

will be replaced with

?.

<select id="queryAll"  resultMap="resultMap">
  SELECT * FROM order WHERE id = #{id}
</select>

But unfortunately, in some scenarios, precompilation cannot be used (or you just don't know or are lazy). For example, in some code refactorings, when fields such as table name/column name/sort are dynamically passed in, SQL splicing is inevitably required, and SQL injection still occurs.

But the more likely problems are statements like

and

IN. The following is how to write two sentences of Like fuzzy query. In actual testing, it will be found that using

# is not easy to use and an error will be reported. You need to use sql splicing

$ . This is where the problem arises.

SELECT * FROM order WHERE name like &#39;%#{name}%&#39;  //会报语法错
SELECT * FROM order WHERE name like &#39;%${name}%&#39;  //可以运行

The correct way to write it is to use function splicing. But the construction deadline is overwhelming, and without even realizing it, most people choose the simple way of writing. After all, function comes first, and it is also the most important way to reflect workload.

SELECT * FROM order WHERE  name like concat(‘%’,#{name}, ‘%’) //正确的写法

The same problem exists in the

statement.

in (#{tag}) //报错
in (${tag}) //可以运行

Since it can be run with just a few characters, of course no one chooses the complicated writing method below.

tag in
<foreach collection="tag" item="item" open="("separatosr="," close=")">
#{tag} 
</foreach>

Also order by, don’t take it lightly, otherwise you will be doomed.

SELECT * FROM order order by createDate #{sortType} //报错
SELECT * FROM order order by createDate ${sortType} //正常

In this case, you need to whitelist sortType. It’s not just ASC and DESC. You sent me a long string. What’s going on?

Summary

SQL injection still exists in 2021 , but the threshold has been raised. The decrease in SQL injection now is all due to the framework and has nothing to do with the level of programmers. The situation of sql splicing will never go away because it is the fastest and easiest way and will make people addicted to it. There are countless outsourcing projects, and there are many systems that have been lying dormant for more than ten years. It is a dream to hope that SQL injection will be eliminated at the framework layer.

Because its opponent is human laziness. No one can defeat it.

The above is the detailed content of Are you sure SQL injection is dead?. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:CSDN. If there is any infringement, please contact admin@php.cn delete

SQL: A Beginner-Friendly Approach to Data Management?Apr 19, 2025 am 12:12 AM

SQL is suitable for beginners because it is simple in syntax, powerful in function, and widely used in database systems. 1.SQL is used to manage relational databases and organize data through tables. 2. Basic operations include creating, inserting, querying, updating and deleting data. 3. Advanced usage such as JOIN, subquery and window functions enhance data analysis capabilities. 4. Common errors include syntax, logic and performance issues, which can be solved through inspection and optimization. 5. Performance optimization suggestions include using indexes, avoiding SELECT*, using EXPLAIN to analyze queries, normalizing databases, and improving code readability.

SQL in Action: Real-World Examples and Use CasesApr 18, 2025 am 12:13 AM

In practical applications, SQL is mainly used for data query and analysis, data integration and reporting, data cleaning and preprocessing, advanced usage and optimization, as well as handling complex queries and avoiding common errors. 1) Data query and analysis can be used to find the most sales product; 2) Data integration and reporting generate customer purchase reports through JOIN operations; 3) Data cleaning and preprocessing can delete abnormal age records; 4) Advanced usage and optimization include using window functions and creating indexes; 5) CTE and JOIN can be used to handle complex queries to avoid common errors such as SQL injection.

SQL and MySQL: Understanding the Core DifferencesApr 17, 2025 am 12:03 AM

SQL is a standard language for managing relational databases, while MySQL is a specific database management system. SQL provides a unified syntax and is suitable for a variety of databases; MySQL is lightweight and open source, with stable performance but has bottlenecks in big data processing.

SQL: The Learning Curve for BeginnersApr 16, 2025 am 12:11 AM

The SQL learning curve is steep, but it can be mastered through practice and understanding the core concepts. 1. Basic operations include SELECT, INSERT, UPDATE, DELETE. 2. Query execution is divided into three steps: analysis, optimization and execution. 3. Basic usage is such as querying employee information, and advanced usage is such as using JOIN connection table. 4. Common errors include not using alias and SQL injection, and parameterized query is required to prevent it. 5. Performance optimization is achieved by selecting necessary columns and maintaining code readability.

SQL: The Commands, MySQL: The EngineApr 15, 2025 am 12:04 AM

SQL commands are divided into five categories in MySQL: DQL, DDL, DML, DCL and TCL, and are used to define, operate and control database data. MySQL processes SQL commands through lexical analysis, syntax analysis, optimization and execution, and uses index and query optimizers to improve performance. Examples of usage include SELECT for data queries and JOIN for multi-table operations. Common errors include syntax, logic, and performance issues, and optimization strategies include using indexes, optimizing queries, and choosing the right storage engine.

SQL for Data Analysis: Advanced Techniques for Business IntelligenceApr 14, 2025 am 12:02 AM

Advanced query skills in SQL include subqueries, window functions, CTEs and complex JOINs, which can handle complex data analysis requirements. 1) Subquery is used to find the employees with the highest salary in each department. 2) Window functions and CTE are used to analyze employee salary growth trends. 3) Performance optimization strategies include index optimization, query rewriting and using partition tables.

MySQL: A Specific Implementation of SQLApr 13, 2025 am 12:02 AM

MySQL is an open source relational database management system that provides standard SQL functions and extensions. 1) MySQL supports standard SQL operations such as CREATE, INSERT, UPDATE, DELETE, and extends the LIMIT clause. 2) It uses storage engines such as InnoDB and MyISAM, which are suitable for different scenarios. 3) Users can efficiently use MySQL through advanced functions such as creating tables, inserting data, and using stored procedures.

SQL: Making Data Management Accessible to AllApr 12, 2025 am 12:14 AM

SQLmakesdatamanagementaccessibletoallbyprovidingasimpleyetpowerfultoolsetforqueryingandmanagingdatabases.1)Itworkswithrelationaldatabases,allowinguserstospecifywhattheywanttodowiththedata.2)SQL'sstrengthliesinfiltering,sorting,andjoiningdataacrosstab

See all articles