关于SQL注入
今晚看了msdn关于SQL注入的介绍,其中有一段不明白麻烦大家帮忙看下:
由数据截断启用的注入
如果分配给变量的任何动态 Transact-SQL 比为该变量分配的缓冲区大,那么它将被截断。如果攻击者能够通过将意外长度的字符串传递给存储过程来强制执行语句截断,则该攻击者可以操作该结果。例如,以下脚本创建的存储过程容易受到由截断启用的注入攻击。
CREATE PROCEDURE sp_MySetPassword @loginname sysname, @old sysname, @new sysname AS -- Declare variable. -- Note that the buffer here is only 200 characters long. DECLARE @command varchar(200) -- Construct the dynamic Transact-SQL. -- In the following statement, we need a total of 154 characters -- to set the password of 'sa'. -- 26 for UPDATE statement, 16 for WHERE clause, 4 for 'sa', and 2 for -- quotation marks surrounded by QUOTENAME(@loginname): -- 200 – 26 – 16 – 4 – 2 = 154. -- But because @new is declared as a sysname, this variable can only hold -- 128 characters. -- We can overcome this by passing some single quotation marks in @new. SET @command= 'update Users set password=' + QUOTENAME(@new, '''') + ' where username=' + QUOTENAME(@loginname, '''') + ' AND password = ' + QUOTENAME(@old, '''') -- Execute the command. EXEC (@command) GO
