sun*_*kin 0 sql oracle oracle10g
当用户在C#(.NET)开发的表单条目中输入输入文本(例如"Sam的项目可交付成果")时,我想要单引号.数据库是ORACLE 10g.
我遇到了ORACLE 10g http://www.orafaq.com/wiki/SQL_FAQ#How_does_one_escape_special_characters_when_writing_SQL_queries.3F提供的引用分隔符功能,但我不确定是否使用这样的引用分隔符q'[带有单引号的某些文本]作为部分SELECT语句会阻止SQL注入攻击吗?
引号分隔符q'[带单引号的文本]'的示例用法:
SQL> SELECT q'[Frank's Oracle site]' AS text FROM DUAL;
TEXT
-------------------
Frank's Oracle site
SQL> SELECT q'[A 'quoted' word.]' AS text FROM DUAL;
TEXT
----------------
A 'quoted' word.
SQL> SELECT q'[A ''double quoted'' word.]' AS text FROM DUAL;
TEXT
-------------------------
A ''double quoted'' word.
如果您的查询看起来像这样......
query = "SELECT * FROM Users WHERE name = q'[" + <what the user entered> + "]'";
...并且用户输入这样的内容......
abc]';<harmful statement>;SELECT * FROM DUAL WHERE '1'=q'[1
......他们将成功注射.
你使用哪个分界符并不重要q- 坚定的攻击者会尝试所有分隔符.准备好的陈述是你最好的辩护.