search

Home  >  Q&A  >  body text

mysql - 看这条sql有可能被注入吗

SELECT * FROM table1 where condition1=1 ORDER BY $sortField$ $sortOrder$ limit 0,20

$sortField$$sortOrder$可以写任意sql

这条sql有被注入的风险吗

迷茫迷茫2783 days ago659

reply all(3)I'll reply

  • ringa_lee

    ringa_lee2017-04-17 15:06:00

    As long as you directly use variables to generate sql statements, there is a risk of being injected 

    SELECT * FROM table1 where condition1=1 ORDER BY $sortField$ $sortOrder$ limit 0,20

    sortField="id"
    sortOrder="; drop table users; --"

    Your sql will become 

    SELECT * FROM table1 where condition1=1 ORDER BY id; drop table users; -- limit 0,20

    reply
    0
  • 天蓬老师

    天蓬老师2017-04-17 15:06:00

    You are thinking about the problem in the wrong direction.

    The correct way to prevent injection is to use the parameter mode of the official driver, because only the official version knows how to avoid being injected.

    If you write SQL yourself, even if it is not injected now, maybe if one of the components involved in this link changes in the future, there will be a risk of being injected.

    reply
    0
  • 怪我咯

    怪我咯2017-04-17 15:06:00

    You can directly test it with sqlmap, its engine is still very powerful

    reply
    0
  • Cancelreply