FixVibe
Covered by FixVibecritical

Injection SQL: igbochi ịnweta nchekwa data enwetaghị ikike

SQL injection (SQLi) bụ adịghị ike dị egwu ebe ndị na-awakpo na-egbochi ajụjụ nchekwa data ngwa. Site n'itinye syntax SQL ọjọọ, ndị na-awakpo nwere ike ịgabiga nyocha, lelee data dị nro dị ka okwuntughe na nkọwa kaadị kredit, ma ọ bụ ọbụna mebie ihe nkesa dị n'okpuru.

CWE-89

Mmetụta nke SQL injection

Ngwunye SQL (SQLi) na-enye onye na-awakpo ohere igbochi ajụjụ nke ngwa na-eme na nchekwa data ya [S1]. Mmetụta bụ isi gụnyere ịnweta data nwere mmetụta na-enweghị ikike dị ka okwuntughe onye ọrụ, nkọwa kaadị kredit, yana ozi nkeonwe [S1].

E wezụga izu ohi data, ndị na-awakpo nwere ike gbanwee ma ọ bụ hichapụ ndekọ nchekwa data, na-eduga na mgbanwe na-adịgide adịgide na omume ngwa ma ọ bụ mfu data [S1]. N'okwu dị oke njọ, SQLi nwere ike ịbawanye imebi akụrụngwa azụ azụ, mee ka ịgọnarị ọgụ ọrụ, ma ọ bụ nye azụ azụ na-adịgide adịgide n'ime sistemụ ụlọ ọrụ [S1][S2].

Mgbọrọgwụ Ihe kpatara: njikwa ntinye adịghị mma

Ihe kpatara ntụtụ SQL bụ nkwụsị na-ezighi ezi nke ihe pụrụ iche ejiri na iwu SQL [S2]. Nke a na-eme mgbe ngwa wulitere ajụjụ SQL site n'ịkọba ntinye aka mpụga ozugbo na eriri ajụjụ [S1][S2].

N'ihi na ntinye adịghị ekewa nke ọma na nhazi ajụjụ, onye ntụgharị okwu nchekwa data nwere ike mebe akụkụ nke ntinye onye ọrụ dị ka koodu SQL kama ile ya anya dị ka data nkịtị [S2]. Ọdịmma a nwere ike igosipụta n'akụkụ dị iche iche nke ajụjụ, gụnyere nkwupụta SELECT, ụkpụrụ INSERT, ma ọ bụ nkwupụta UPDATE [S1].

Concrete ndozi na mbelata

Jiri ajụjụ ndị dị n'usoro

Ụzọ kachasị dị irè isi gbochie ntụtụ SQL bụ iji ajụjụ ndị a na-atụgharị anya, nke a makwaara dị ka nkwupụta akwadoro [S1]. Kama eriri njikọ, ndị mmepe kwesịrị iji usoro ahaziri ahazi nke na-amanye nkewa nke data na koodu [S2].

Ụkpụrụ nke ihe ùgwù kacha nta

Ngwa kwesịrị jikọọ na nchekwa data site na iji ohere kacha ala achọrọ maka ọrụ ha [S2]. Akaụntụ ngwa weebụ ekwesịghị inwe ikike nhazi yana machibido ya na tebụl ma ọ bụ ọrụ dị mkpa maka ọrụ ya [S2].

Ntinye ntinye na ntinye

Ọ bụ ezie na ọ bụghị nnọchi maka parameterization, ntinye nkwado na-enye nchekwa-n'omimi [S2]. Ngwa kwesịrị iji atụmatụ amara amaara nke ọma, na-akwado na ntinye ahụ dakọtara ụdị, ogologo na usoro [S2].

Kedu ka FixVibe si nwalee ya

FixVibe ekpuchilarị ịgba ọgwụ SQL site na modul nyocha active.sqli gated. Nyocha na-arụ ọrụ na-agba naanị ka nkwenye na akaebe nwe ngalaba gachara. Nlele nlele ahụ na-eji njedebe ajụjụ GET nweta otu mmalite, na-ewepụta nzaghachi ndabere, na-achọ ihe adịghị mma boolean nke SQL, ma na-akọ naanị nchọta mgbe nkwenye oge gafere ọtụtụ ogologo oge. Nyocha ebe nchekwa na-enyekwara aka ijide ihe kpatara ya na mbụ site na code.web-app-risk-checklist-backfill, nke na-egosipụta oku SQL raw nke ejiri template interpolation rụọ.