ADO Command.Execute With Array of Parameters & SQL Injection

时间:2022-01-04 04:26:38

Quick question... I have to work with quite a bit of legacy ASP code that I am cleaning up, and it all uses queries that are vulnerable to SQL injection. I have a library that I put together to replace them with parameterized queries, and I'm wondering if there is a difference from a security standpoint between the following approaches.

快速问题...我必须处理相当多的遗留ASP代码,我正在清理它,并且它都使用易受SQL注入攻击的查询。我有一个库,我把它们用参数化查询替换它们,我想知道在以下方法之间是否存在安全角度的差异。

Approach 1: This is the approach shown on most examples where parameter objects are individually built and added to the Command object. Here's an example from another question.

方法1:这是大多数示例中显示的方法,其中参数对象单独构建并添加到Command对象。这是另一个问题的一个例子。

Approach 2: Use the Command.Execute method with an array of parameter values. Example:

方法2:将Command.Execute方法与参数值数组一起使用。例:

Command.CommandText = "select foo, bar from baz where a = ? and b = ?"
Command.Execute , Array(1, "BBB")

Yes, the first parameter to Execute is ignored.

是的,将忽略Execute的第一个参数。

The first approach has each parameter built with its type, size, etc all specified, and it needs to match the database. But I've always had trouble with that approach, weird errors and the like if everything isn't "just" perfect. So I prefer the latter, and it in fact works with my coding style much better because I can encapsulate the DB logic into a class and pass around arrays as needed without having to litter my code with tons of DB calls.

第一种方法是使用所有指定的类型,大小等构建每个参数,并且它需要匹配数据库。但是,如果一切都不是“完美”,我总是遇到这种方法,奇怪的错误等问题。所以我更喜欢后者,它实际上更适合我的编码风格,因为我可以将DB逻辑封装到一个类中,并根据需要传递数组,而不必使用大量的DB调用来丢弃我的代码。

Example of approach #2 using my wrapper DB.Query method:

方法#2的示例使用我的包装器DB.Query方法:

set rs = DB.Query("select foo, bar from baz where a = ? and b = ?", Array(1, "BBB")

Or:

要么:

set rs = DB.Query("select foo, bar from baz", empty)

(passing keyword empty to denote the parameter is not used)

(传递关键字为空以表示参数未使用)

Given that, I'm wondering: Is approach #2 still safe from SQL injection attacks?

考虑到这一点,我想知道:#2方法仍然可以安全地免受SQL注入攻击吗?

Thanks.

谢谢。

Edit The call to Execute was wrong and written from memory, it has been corrected.

编辑对Execute的调用错误并从内存中写入,它已得到纠正。

1 个解决方案

#1


2  

From my sight: yes it is.

从我的视线:是的。

i wrote a quick example and then debugged it with Visual Studio. After the call to

我写了一个快速示例,然后使用Visual Studio进行调试。打电话给

Command.Execute , Array(1, "BBB")

the Parameters object of the ADODB.Command is properly filled with the given values from the Array. The datatype and length of the parameters is correctly set.

ADODB.Command的Parameters对象已正确填充Array中的给定值。正确设置参数的数据类型和长度。

So in my opinion this approach is as safe as the approach #1 (with a manually created Parameters object).

因此,在我看来,这种方法与方法#1一样安全(使用手动创建的Parameters对象)。

#1


2  

From my sight: yes it is.

从我的视线:是的。

i wrote a quick example and then debugged it with Visual Studio. After the call to

我写了一个快速示例,然后使用Visual Studio进行调试。打电话给

Command.Execute , Array(1, "BBB")

the Parameters object of the ADODB.Command is properly filled with the given values from the Array. The datatype and length of the parameters is correctly set.

ADODB.Command的Parameters对象已正确填充Array中的给定值。正确设置参数的数据类型和长度。

So in my opinion this approach is as safe as the approach #1 (with a manually created Parameters object).

因此,在我看来,这种方法与方法#1一样安全(使用手动创建的Parameters对象)。