oracle数据库:开发成功的Oracle应用_笔记6
1.3开发数据库应用的正确(和不正确)方法(续)
1.3.1了解oracle体系结构
对于采用串拼接的开发人员来说,不使用绑定变量还有一个影响,这就是安全性,尤其是一种称为“SQL注入”的攻击。
确实,如果你没有使用绑定变量,而且使用了之前PROC2中所示的串拼接技术,代码就很有可能遭遇SQL注入攻击,必须仔细审查。
必须带着怀疑的态度去审视,不使用绑定变量应当作为一种特例情况,而绝非普遍现象。
SQL注入例程
sys@ORCL>create user test identified by test;
User created.
sys@ORCL>grant connect to test;
Grant succeeded.
sys@ORCL>grant
2 create any table,create any view,create any procedure,alter any table,alter any procedure,drop any table,drop any
procedure to test;
Grant succeeded.
sys@ORCL>grant unlimited tablespace to test;
Grant succeeded.
test@ORCL>create or replace procedure inj(p_date in date)
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query :='
8 select *
9 from all_users
10 where created = '''||p_date||'''';
11 dbms_output.put_line(l_query);
12 open c for l_query;
13 for i in 1..5
14 loop
15 fetch c into l_rec;
16 exit when c%notfound;
17 dbms_output.put_line(l_rec.username||'.....');
18 end loop;
19 close c;
20 end;
21 /
Procedure created.
test@ORCL>exec inj(sysdate)
select *
from all_users
where created = '22-AUG-13'
PL/SQL procedure successfully completed.
test@ORCL>create table user_pw
2 (uname varchar2(30) primary key,
3 pw varchar2(30)
4 );
Table created.
test@ORCL>insert into user_pw
2 (uname,pw)
3 values('TKYTE','TOP SECRET');
1 row created.
test@ORCL>commit;
Commit complete.
test@ORCL>grant execute on inj to scott;
Grant succeeded.
scott@ORCL>alter session set
2 nls_date_format='"''union select tname,0,null from tab--"';
Session altered.
scott@ORCL>exec test.inj(sysdate)
select *
from all_users
where created = ''union select tname,0,null from tab--'
USER_PW.....
PL/SQL procedure successfully completed.
scott@ORCL>alter session set
2 nls_date_format='"''union select tname||cname,0,null from col--"';
Session altered.
scott@ORCL>exec test.inj(sysdate)
select *
from all_users
where created = ''union select tname||cname,0,null from col--'
USER_PWPW.....
USER_PWUNAME.....
PL/SQL procedure successfully completed.
scott@ORCL>alter session set
2 nls_date_format='"''union select uname,0,null from user_pw--"';
Session altered.
scott@ORCL>exec test.inj(sysdate)
select *
from all_users
where created = ''union select uname,0,null from user_pw--'
TKYTE.....
PL/SQL procedure successfully completed.
scott@ORCL>alter session set
2 nls_date_format='"''union select pw,0,null from user_pw--"';
Session altered.
scott@ORCL>exec test.inj(sysdate)
select *
from all_users
where created = ''union select pw,0,null from user_pw--'
TOP SECRET.....
PL/SQL procedure successfully completed.
test@ORCL>create or replace procedure NOT_inj(p_date in date)
2 as
3 l_rec all_users%rowtype;
4 c sys_refcursor;
5 l_query long;
6 begin
7 l_query :='
8 select *
9 from all_users
10 where created = :x';
11 dbms_output.put_line(l_query);
12 open c for l_query USING P_DATE;
13 for i in 1..5
14 loop
15 fetch c into l_rec;
16 exit when c%notfound;
17 dbms_output.put_line(l_rec.username||'.....');
18 end loop;
19 close c;
20 end;
21 /
Procedure created.
test@ORCL>exec NOT_inj(sysdate)
select *
from all_users
where created = :x
PL/SQL procedure successfully completed.
这个NLS_DATE_FORMAT很有意思,大多数人甚至不知道可以用NLS_DATE_FORMAT包含字符串字面量。在这里,恶意用户的做法就是使用你的权限集“蒙骗”代码查询你原本不希望他查询的表。TAB字典视图限制为当前模式所能看到的表集。用户运行这个过程时,用于授权的当前模式就是这个过程的所有者。
???有一点相当简单明了:如果使用绑定变量,就不会遭遇SQL注入攻击。
http://blog.csdn.net/heqiyu34/article/details/7692188 Oracle 单引号转义
http://www.52ij.com/jishu/5132.htmloracle数据库:开发成功的Oracle应用_笔记5
本文来源 我爱IT技术网 http://www.52ij.com/jishu/5135.html 转载请保留链接。
- 评论列表(网友评论仅供网友表达个人看法,并不表明本站同意其观点或证实其描述)
-