Is this vulnerable to SQL Injection?

blov · · 565 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>_, err = db.Exec(&#34;INSERT INTO books(name) VALUES(?)&#34;, university)</p> <p>If so, how can I delete all the information in the books table using a HTML input field?</p> <hr/>**评论:**<br/><br/>barsonme: <pre><p>no, not unless your database doesn&#39;t escape the parameterized queries.</p> <p>Typically SQL injection happens when you try something like this:</p> <p><code>_, err := db.Exec(&#34;INSERT INTO books(name) VALUES(&#34;+university+&#34;)&#34;)</code></p> <p>...or something similar using fmt.Sprintf, a bytes.Buffer, etc.</p></pre>beeks10: <pre><p>I should be safe? I am just worried about SQL injection. All my db.Exec are like the one listed above and none of them are like: _, err := db.Exec(&#34;INSERT INTO books(name) VALUES(&#34;+university+&#34;)&#34;)</p></pre>jussij: <pre><p>The reason it is safe is because you have the ? in the Exec statement.</p> <p>That is a place holder for what is known as a <em>parameterized query</em> and that&#39;s what makes it safe.</p></pre>barsonme: <pre><p>I already answered that question. However, I recommend you read: <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet" rel="nofollow">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</a></p></pre>PsyWolf: <pre><p>Yes. You are safe.</p> <p>But don&#39;t just take our word for it. Learn more about SQL injection attacks. They&#39;re interesting and not too complex for any ordinary programmer to understand.</p></pre>pentestrobutiv: <pre><p>Safe</p></pre>mc_hammerd: <pre><p>type in the field <code>1); DELETE FROM books WHERE 1;--</code> <sup><sup><sup>dunno</sup></sup></sup></p> <p>(this can be protected against by a mysql option 1 cmd per query) </p></pre>beeks10: <pre><p>That didn&#39;t work</p></pre>mc_hammerd: <pre><p>I also tried a subquery... didnt work for me, it looks safe. but try anyways if u want.. </p> <p>a) <code>ISNULL((DELETE FROM books WHERE 1), 1)</code></p> <p>b) <code>(DELETE FROM BOOKS WHERE 1)</code></p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

565 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传