SQL injection on autoincrement

I have been looking up SQL injection lately and what they are, what they do and how to stop them. Most place talk about username stored by users in select stamens causing problems such as 'OR 1 but if I was to only use a auto incremented id to select information from a database and not a user input value would this also prevent sql injections?


SQL Injection applies specifically to the shape of the query - it says nothing about queries that can accidentally leak information from other means.

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements [or expressions] are inserted into an entry field for execution..

Using placeholders eliminates SQL Injection1,

but..

..just because a system is free from SQL Injection does not mean that it is safe from other vulnerabilities.

For instance, imagine this query, where @OWNER represents a placeholder.

select *
from emails
where owner = @OWNER

This query is free from SQL injection, but if an attacker can specify an arbitrary "OWNER" value, then they can access someone else's email - oops! This is just a security vulnerability; not SQL Injection.


1 Use placeholders for all data that comes from variables.

It doesn't matter if it is from the user or not. It doesn't matter if the value is guaranteed to be an integer (even one from an auto-increment column) or not. Just use placeholders consistently - then you'll have cleaner queries and more time to focus on other problems.


Everyone who is looking up on SQL injection, have to understand that there is no way to exploit a non-existent injection . On the other hand, once injection is possible, there is potentially infinite number of possible exploits .

Means one should never care of particular exploits. But always concentrate on making injection impossible.

链接地址: http://www.djcxy.com/p/93966.html

上一篇: 在动态SQL中防止SQL注入

下一篇: 自动增量的SQL注入