Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DB.Model(&AAA{}).Order("if(user()='[email protected]', column_name, 1) desc").Offset(offset).Limit(pageSize).Scan(&list).Error,这种情况算不算sql注入? #7053

Open
sun-xch opened this issue Jun 7, 2024 · 3 comments
Open

DB.Model(&AAA{}).Order("if(user()='[email protected]', column_name, 1) desc").Offset(offset).Limit(pageSize).Scan(&list).Error,这种情况算不算sql注入? #7053

sun-xch opened this issue Jun 7, 2024 · 3 comments
Assignees
@jinzhu
Labels
type:question general questions

Comments

@sun-xch
Copy link

sun-xch commented Jun 7, 2024

Your Question

The document you expected this should be explained

Expected answer
@sun-xch sun-xch added the type:question general questions label Jun 7, 2024
@ahao-o
Copy link

ahao-o commented Jun 7, 2024
edited
Loading

有打印实际执行的sql吗。如果到了数据库层执行还存在敏感关键词那这就是注入了

@ivila
Copy link

ivila commented Jun 11, 2024

算,不要把别人传过来的字符串内容直接用到SQL里面。

实际上防注入的方式是使用PrepareStatement去对你的SQL语句做预编译,然后再把参数写进去,保证参数只是参数。
比如你想用一个str field去做等值判断:
正确的写法:

    query := db.Model(Table{}).Where("field_str = ?", "random str").Where("id = ?", 1)

然后GORM底层会帮你使用prepare statement去防止注入

// 预编译生成一个Prepare Statement
PREPARE stmt1 FROM 'SELECT * FROM table_a WHERE field_str = ? AND id = ?';
// 然后使用参数去调用
set @a = 'random str';
set @b = 4;
EXECUTE stmt1 USING @a, @b;

你这种写法是错误的,因为你直接把用户输入拼接到SQL里面了,你就类似于做了这样的操作
错误的写法:

    query := db.Model(Table{}).Where(fmt.Sprintf("field_str = '%s'", "random str")).Where("id = ?", 1)

对应执行的SQL就是

// 预编译了一个已经完成SQL注入的SQL
PREPARE stmt1 FROM "SELECT * FROM table_a WHERE field_str = 'random str' AND id = ?";
// 然后使用参数去调用
set @b = 4;
EXECUTE stmt1 USING @b;

所以对于你的问题的答案:是的,你这么写是可能被SQL注入的,所以你一定要检查column_name必须是合法的输入(比如你自己搞个enum去限定之类的)

@iseki0
Copy link

iseki0 commented Jun 11, 2024

不止 Order,还有 Select,Table 等等,以及 Where 的第一个参数,就是用来注入 SQL 的,许多功能需要通过灵活拼接 SQL 实现,这个地方过滤注入就没法用了。这是 feature。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jinzhu jinzhu

Labels
type:question general questions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jinzhu @ivila @iseki0 @sun-xch @ahao-o