The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

concatenated directly into the string used to specify the query structure.

The use of parameterized queries will not prevent SQL injection if some

parameters are handled in this way.

■■

Parameter placeholders cannot be used to specify the table and column

names used in the query. In some very rare cases, applications need to

specify these items within an SQL query on the basis of user-supplied

data. In this situation, the best approach is to use a white list of known

good values (i.e., the list of tables and columns actually used within the

database) and reject any input that does not match an item on this list.

Failing this, strict validation should be enforced on the user input — for

example, allowing only alphanumeric characters, excluding white-

space, and enforcing a suitable length limit.

Download 5,76 Mb.

Do'stlaringiz bilan baham: