I'm using the orientjs library to perform operations in the Orient Database. I read in the documentation that it's possible to use parameter-style queries like the following:
我正在使用orientjs库来在东方数据库中执行操作。我在文档中看到,可以使用诸如以下的参数样式查询:
db.query(
'SELECT name, ba FROM Player '
+ 'WHERE ba >= :ba AND team = ":team"',
{params: {
ba: targetBA,
team: targetTeam }
}, limit: 20
).then(function(hitters){
console.log(hitters)
});
My question is: Is it enough to prevent SQL injection? Because I didn't find information about that in the NodeJS API. In the case of Java, there is a 'Prepared Query' concept, I'm not sure if they are refering to the same thing.
我的问题是:它是否足以防止SQL注入?因为我在NodeJS API中没有找到相关信息。对于Java,有一个“准备查询”的概念,我不确定它们是否指的是同一件事。
1 个解决方案
#1
4
Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):
看起来很安全,我正在尝试这段代码(你从维基上下载的代码有点问题):
var name='admin';
db.open().then(function() {
return db.query(
"SELECT * FROM OUser "
+ "WHERE name = :name",
{params:{
name: name
}
});
}).then(function(res){
console.log(res);
db.close().then(function(){
console.log('closed');
});
});
First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).
首先,查询被解析为SELECT * FROM OUser,其中name = "admin"(使用Studio查询分析器进行观察)。
As expected, I get the admin user record.
如所料,我将获得admin用户记录。
Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;
由于参数直接作为字符串计算,所以不需要引用它们(例如:name not ':name')。所以没有办法注入'或'1'='1或任何东西;下降的东西;
Here are some test I did:
下面是我做的一些测试:
-
var name='; create class p;';var = '名称;创建类p;”;
returns no records;
不返回任何记录;
evaluated by orient as:
SELECT * FROM OUser WHERE name = "; create class p;"由orient计算为:SELECT * FROM OUser WHERE name = ";创建类p;“
-
var name="' OR '1'='1";var name = " '或' 1 ' = ' 1 ";
returns no records;
不返回任何记录;
evaluated as:
SELECT * FROM OUser WHERE name = "' OR '1'='1"取值为:从OUser中选择*,其中name = "'或'1'='1"
-
var name='" OR "1"="1';var name =”或“1”=“1”;
returns no records;
不返回任何记录;
evaluated as:
SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"从OUser中选择*,其中name = "\"或"\" 1\"= "\" 1"
-
quoting the param name in the query:
"WHERE name = ':name'"在查询中引用参数名:“WHERE name = ':name'”
evaluated as:
SELECT * FROM OUser WHERE name = ':name'取值为:SELECT * FROM OUser,其中name = ':name'
Feel free to try more combinations, in my opinion seems quite safe.
请随意尝试更多的组合,在我看来似乎很安全。
#1
4
Seems to be secure, I'm trying with this code (yours taken from the wiki is a bit buggy):
看起来很安全,我正在尝试这段代码(你从维基上下载的代码有点问题):
var name='admin';
db.open().then(function() {
return db.query(
"SELECT * FROM OUser "
+ "WHERE name = :name",
{params:{
name: name
}
});
}).then(function(res){
console.log(res);
db.close().then(function(){
console.log('closed');
});
});
First of all, the query is parsed as SELECT * FROM OUser WHERE name = "admin" (observed with the Studio Query Profiler).
首先,查询被解析为SELECT * FROM OUser,其中name = "admin"(使用Studio查询分析器进行观察)。
As expected, I get the admin user record.
如所料,我将获得admin用户记录。
Since the params are evaluated directly as String, there's non need quote them (e.g. :name not ':name'). So there is no way to inject something like ' OR '1'='1 or any ; drop something;
由于参数直接作为字符串计算,所以不需要引用它们(例如:name not ':name')。所以没有办法注入'或'1'='1或任何东西;下降的东西;
Here are some test I did:
下面是我做的一些测试:
-
var name='; create class p;';var = '名称;创建类p;”;
returns no records;
不返回任何记录;
evaluated by orient as:
SELECT * FROM OUser WHERE name = "; create class p;"由orient计算为:SELECT * FROM OUser WHERE name = ";创建类p;“
-
var name="' OR '1'='1";var name = " '或' 1 ' = ' 1 ";
returns no records;
不返回任何记录;
evaluated as:
SELECT * FROM OUser WHERE name = "' OR '1'='1"取值为:从OUser中选择*,其中name = "'或'1'='1"
-
var name='" OR "1"="1';var name =”或“1”=“1”;
returns no records;
不返回任何记录;
evaluated as:
SELECT * FROM OUser WHERE name = "\" OR \"1\"=\"1"从OUser中选择*,其中name = "\"或"\" 1\"= "\" 1"
-
quoting the param name in the query:
"WHERE name = ':name'"在查询中引用参数名:“WHERE name = ':name'”
evaluated as:
SELECT * FROM OUser WHERE name = ':name'取值为:SELECT * FROM OUser,其中name = ':name'
Feel free to try more combinations, in my opinion seems quite safe.
请随意尝试更多的组合,在我看来似乎很安全。