6

我正在检查通过使用参数化命令查询数据库的正确方法,并且仍然能够提取将匹配任何表作为通用 SP 的查询。

这个 sql sp 似乎没有可能为 SQL 注入打开一个漏洞,如果我错了,请纠正我这是安全的......

但这里的问题是,使用sp_executesql(似乎是安全的关键要素)不会返回 SELECT 结果。

我如何更改该存储过程以返回值(而不是“破坏”它的安全性)

    CREATE PROCEDURE [dbo].[SafeSqlSP_SelectGivenTableWithOptionalColFilter] 
    @columnList varchar(75) ='*',
    @tableName sysname ,
    @ColNameAsFilter1 varchar(75) ='',
    @ColNameAsFilter2 varchar(75) ='',
    @ColFilter1VAL varchar(75)='',
    @ColFilter2VAL varchar(75)=''       
    AS
            BEGIN
        SET NOCOUNT ON;

DECLARE @sqlCommand nvarchar(1000)
        if( @ColNameAsFilter2!='' AND @ColNameAsFilter1!='')
            begin
                SET @sqlCommand = 'SELECT ' + QUOTENAME(@columnList) + ' FROM ' + QUOTENAME(@tableName) +' WHERE ' + QUOTENAME(@ColNameAsFilter1) +' = @ColFilter1VAL AND ' + QUOTENAME(@ColNameAsFilter2) +' = @ColFilter2VAL'
                EXECUTE sp_executesql @sqlCommand,
                N'@ColFilter1VAL nvarchar(75), @ColFilter2VAL nvarchar(75)', @ColFilter1VAL= @ColFilter1VAL, @ColFilter2VAL = @ColFilter2VAL
            end
        else if( @ColNameAsFilter1!='' AND @ColNameAsFilter2='') 
            begin
                SET @sqlCommand = 'SELECT ' + QUOTENAME(@columnList) + ' FROM ' + QUOTENAME(@tableName) +' WHERE ' + QUOTENAME(@ColNameAsFilter1) +' = @ColFilter1VAL'
                EXECUTE sp_executesql @sqlCommand,
                N'@ColFilter1VAL nvarchar(75)', @ColFilter1VAL= @ColFilter1VAL
            end
        else if( @ColNameAsFilter1='' AND @ColNameAsFilter2='') 
            begin
                SET @sqlCommand = 'SELECT ' + QUOTENAME(@columnList) + ' FROM ' + QUOTENAME(@tableName)
                EXECUTE sp_executesql @sqlCommand
            end
    END
4

2 回答 2

2

这是我到目前为止所拥有的。除了 columnNames(我将在几秒钟内完成)之外,我已经使用 sp_executesql 测试了每个未参数化的列。

我对最终测试 columnNames 的方式并不完全满意,但我认为这不是一个真正的问题。首先,我希望 columnList 来自应用程序,而不是用户。用户不应该对填写前 7 个参数的数据库结构有足够的了解,并且开发人员面临的风险远大于 SQL 注入。话虽这么说,鉴于 columnList 的放置位置,我能想到的唯一 SQL 注入将必须包含单词“FROM”,并且在其两侧都有一个空格。因此,我对此进行了测试,并在发生错误时引发了错误。如果您碰巧有一个名为“此列来自其他地方”的列,这将是一个问题,但我们希望您没有。

只是一个注释。在过程查询系统表的情况下,我使用sys.all_objectssys.all_columns系统视图进行测试。如果您将它们更改为更常用的sys.objects并且sys.columns存储过程将不适用于系统视图。

编辑:我在 columnList 上添加了一个测试来检查分号。我意识到类似的事情'''abc''; print ''test''; select * '会是一个问题。

EDIT2:我更新了程序以更好地处理列列表。谢谢@HABO!。我还添加了代码来处理是否QUOTENAME在列列表中使用 []s、"s 或 's 以及 * 的一些常见格式来处理值。我正在使用@HABO 列出的拆分器函数,所以我'没有在这里列出它。

ALTER PROCEDURE [dbo].[SafeSqlSP_SelectGivenTableWithOptionalColFilter] 
    @columnList nvarchar(max) ='*',
    @tableSchema sysname ,
    @tableName sysname ,
    @ColNameAsFilter1 nvarchar(255) ='',
    @ColNameAsFilter2 nvarchar(255) ='',
    @ColFilter1VAL nvarchar(max)='',
    @ColFilter2VAL nvarchar(max)=''       
    AS

BEGIN
    SET NOCOUNT ON;

    --====================================================
    -- Set default values
    IF ISNULL(@tableSchema,'') = ''
        SET @tableSchema = 'dbo'
    ELSE
        SET @tableSchema = LTRIM(RTRIM(@tableSchema))

    IF ISNULL(@columnList,'') = ''
        SET @columnList = '*'

    SET @tableName = ISNULL(LTRIM(RTRIM(@tableName)),'')
    SET @ColNameAsFilter1 = ISNULL(LTRIM(RTRIM(@ColNameAsFilter1)),'')
    SET @ColNameAsFilter2 = ISNULL(LTRIM(RTRIM(@ColNameAsFilter2)),'')
    SET @ColFilter1VAL = ISNULL(@ColFilter1VAL,'')
    SET @ColFilter2VAL = ISNULL(@ColFilter2VAL,'')

    --====================================================
    -- Remove probably QUOTENAMEs from @tableSchema and @tableName before testing them
    SET @tableSchema = CASE WHEN LEFT(@tableSchema,1) = '[' AND RIGHT(@tableSchema,1) = ']'
                            THEN SUBSTRING(REPLACE(@tableSchema,']]',']'),2,LEN(REPLACE(@tableSchema,']]',']'))-2)
                        WHEN LEFT(@tableSchema,1) = '"' AND RIGHT(@tableSchema,1) = '"'
                            THEN SUBSTRING(REPLACE(@tableSchema,'""','"'),2,LEN(REPLACE(@tableSchema,'""','"'))-2)
                        WHEN LEFT(@tableSchema,1) = '''' AND RIGHT(@tableSchema,1) = ''''
                            THEN SUBSTRING(REPLACE(@tableSchema,'''''',''''),2,LEN(REPLACE(@tableSchema,'''''',''''))-2)
                        ELSE @tableSchema END

    SET @tableName = CASE WHEN LEFT(@tableName,1) = '[' AND RIGHT(@tableName,1) = ']'
                            THEN SUBSTRING(REPLACE(@tableName,']]',']'),2,LEN(REPLACE(@tableName,']]',']'))-2)
                        WHEN LEFT(@tableName,1) = '"' AND RIGHT(@tableName,1) = '"'
                            THEN SUBSTRING(REPLACE(@tableName,'""','"'),2,LEN(REPLACE(@tableName,'""','"'))-2)
                        WHEN LEFT(@tableName,1) = '''' AND RIGHT(@tableName,1) = ''''
                            THEN SUBSTRING(REPLACE(@tableName,'''''',''''),2,LEN(REPLACE(@tableName,'''''',''''))-2)
                        ELSE @tableName END

    --====================================================
    -- Test to make sure the schema.table exists
    IF NOT EXISTS (
                    SELECT 1 
                    FROM sys.all_objects
                    JOIN sys.schemas
                        ON sys.all_objects.schema_id = sys.schemas.schema_id
                    WHERE sys.all_objects.name = @tableName
                      AND sys.schemas.name = @tableSchema
                      AND sys.all_objects.[TYPE] IN ('S','U','V')
                    )
        BEGIN
            RAISERROR (N'Table %s.%s does not exist.',
                        16,
                        1,
                        @tableSchema,
                        @tableName)
            RETURN
        END

    --====================================================
    -- Test to make sure all of the comma delimited values 
    -- are valid columns for schema.table

    -- Create and populate a list of columns from columnlist
    DECLARE @ColumnListTable TABLE (Item varchar(255))

    INSERT INTO @ColumnListTable
    SELECT Item
    FROM dbo.SplitCSL(@columnList)

    -- Remove any extra spaces
    UPDATE @ColumnListTable SET Item = LTRIM(RTRIM(Item))
    -- "Fix" any * formats to a single format of [schema].[tablename].*
    UPDATE @ColumnListTable SET Item = CASE WHEN Item IN (

                @tableName + '.*',  @tableName + '.[*]', 
                '[' + @tableName + '].*', '[' + @tableName + '].[*]',

                @tableSchema + '.' + @tableName + '.*',  @tableSchema + '.' + @tableName + '.[*]', 
                @tableSchema + '.' + '[' + @tableName + '].*', @tableSchema + '.' + '[' + @tableName + '].[*]',

                '[' + @tableSchema + '].' + @tableName + '.*',  '[' + @tableSchema + '].' + @tableName + '.[*]', 
                '[' + @tableSchema + '].' + '[' + @tableName + '].*', '[' + @tableSchema + '].' + '[' + @tableName + '].[*]'
            ) 
            THEN '[' + @tableSchema + '].' + '[' + @tableName + '].*'
            WHEN Item IN ('*','[*]') THEN '*'
            ELSE Item END

    --====================================================
    -- Remove probably QUOTENAMEs from columns in column list before testing them
    UPDATE @ColumnListTable SET Item = 
                        CASE WHEN LEFT(Item,1) = '[' AND RIGHT(Item,1) = ']'
                            THEN SUBSTRING(REPLACE(Item,']]',']'),2,LEN(REPLACE(Item,']]',']'))-2)
                        WHEN LEFT(Item,1) = '"' AND RIGHT(Item,1) = '"'
                            THEN SUBSTRING(REPLACE(Item,'""','"'),2,LEN(REPLACE(Item,'""','"'))-2)
                        WHEN LEFT(Item,1) = '''' AND RIGHT(Item,1) = ''''
                            THEN SUBSTRING(REPLACE(Item,'''''',''''),2,LEN(REPLACE(Item,'''''',''''))-2)
                        ELSE Item END

    -- Check for invalid column names
    DECLARE @ColumnListFailures AS varchar(max)
    SET @ColumnListFailures = ''

    SELECT @ColumnListFailures = STUFF((    
        SELECT ', ' + Item
        FROM @ColumnListTable
        WHERE Item NOT IN (SELECT name
                            FROM sys.all_columns
                            WHERE object_id = OBJECT_ID(@tableSchema+'.'+@tableName))
          AND Item <> '[' + @tableSchema + '].' + '[' + @tableName + '].*'
        FOR XML PATH(''),TYPE).value('.','VARCHAR(MAX)')
        ,1,2, '')

    IF LEN(@ColumnListFailures) > 0
    BEGIN
            RAISERROR (N'Table %s.%s does not have columns %s that are listed in the columnList parameter.',
                        16,
                        1,
                        @tableSchema,
                        @tableName,
                        @ColumnListFailures)
            RETURN
    END

    -- QUOTENAME each of the column names and re-create @ColumnList
    SELECT @ColumnList = STUFF((
        SELECT ', ' + CASE WHEN Item = '[' + @tableSchema + '].' + '[' + @tableName + '].*' THEN Item 
                ELSE QUOTENAME(Item) END
        FROM @ColumnListTable
        FOR XML PATH(''),TYPE).value('.','VARCHAR(MAX)')
        ,1,2, '')


    --====================================================
    -- Remove probably QUOTENAMEs from first and second column filters before testing them
    SET @ColNameAsFilter1 = CASE WHEN LEFT(@ColNameAsFilter1,1) = '[' AND RIGHT(@ColNameAsFilter1,1) = ']'
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter1,']]',']'),2,LEN(REPLACE(@ColNameAsFilter1,']]',']'))-2)
                        WHEN LEFT(@ColNameAsFilter1,1) = '"' AND RIGHT(@ColNameAsFilter1,1) = '"'
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter1,'""','"'),2,LEN(REPLACE(@ColNameAsFilter1,'""','"'))-2)
                        WHEN LEFT(@ColNameAsFilter1,1) = '''' AND RIGHT(@ColNameAsFilter1,1) = ''''
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter1,'''''',''''),2,LEN(REPLACE(@ColNameAsFilter1,'''''',''''))-2)
                        ELSE @ColNameAsFilter1 END

    SET @ColNameAsFilter2 = CASE WHEN LEFT(@ColNameAsFilter2,1) = '[' AND RIGHT(@ColNameAsFilter2,1) = ']'
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter2,']]',']'),2,LEN(REPLACE(@ColNameAsFilter2,']]',']'))-2)
                        WHEN LEFT(@ColNameAsFilter2,1) = '"' AND RIGHT(@ColNameAsFilter2,1) = '"'
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter2,'""','"'),2,LEN(REPLACE(@ColNameAsFilter2,'""','"'))-2)
                        WHEN LEFT(@ColNameAsFilter2,1) = '''' AND RIGHT(@ColNameAsFilter2,1) = ''''
                            THEN SUBSTRING(REPLACE(@ColNameAsFilter2,'''''',''''),2,LEN(REPLACE(@ColNameAsFilter2,'''''',''''))-2)
                        ELSE @ColNameAsFilter2 END

    --====================================================
    -- Check that the first filter column name is valid
    IF @ColNameAsFilter1 <> '' AND
        NOT EXISTS (SELECT 1 
                    FROM sys.all_columns
                    WHERE object_id = OBJECT_ID(@tableSchema+'.'+@tableName)
                      AND name = @ColNameAsFilter1)
        BEGIN
            RAISERROR (N'Table %s.%s does not have a column %s.',
                        16,
                        1,
                        @tableSchema,
                        @tableName,
                        @ColNameAsFilter1)
            RETURN
        END

    --====================================================
    -- Check that the second filter column name is valid
    IF @ColNameAsFilter2 <> '' AND
        NOT EXISTS (SELECT 1 
                    FROM sys.all_columns
                    WHERE object_id = OBJECT_ID(@tableSchema+'.'+@tableName)
                      AND name = @ColNameAsFilter2)
        BEGIN
            RAISERROR (N'Table %s.%s does not have a column %s.',
                        16,
                        1,
                        @tableSchema,
                        @tableName,
                        @ColNameAsFilter2)
            RETURN
        END 


    --====================================================
    -- Construct & execute the dynamic SQL
    DECLARE @sqlCommand nvarchar(max)

    SET @sqlCommand = 'SELECT ' + @columnList + CHAR(13) +
        ' FROM [' + @tableSchema + '].['+ @tableName + ']' + CHAR(13) + 
        ' WHERE 1=1 '

    IF @ColNameAsFilter1 != ''
        SET @sqlCommand = @sqlCommand + CHAR(13) + 
            ' AND ' + QUOTENAME(@ColNameAsFilter1) + ' = @ColFilter1VAL'

    IF @ColNameAsFilter2 != ''
        SET @sqlCommand = @sqlCommand + CHAR(13) + 
            ' AND ' + QUOTENAME(@ColNameAsFilter2) + ' = @ColFilter2VAL'

    EXECUTE sp_executesql @sqlCommand,
            N'@ColFilter1VAL nvarchar(75), @ColFilter2VAL nvarchar(75)', 
            @ColFilter1VAL, @ColFilter2VAL
END
于 2013-07-10T04:16:42.143 回答
1

如果你真的想走这条路,这里是一个起点。它包括一个免费的字符串拆分功能。并使用NULLs 而不是空字符串来指示未使用的过滤器列。

create function dbo.SplitCSL( @CSL as NVarChar(4000) )
  -- Based on Jeff Moden's design.
  returns table
  with schemabinding as
  return
  with Digits as ( select Digit from ( values (0), (1), (2), (3), (4), (5), (6), (7), (8), (9) ) as Digits( Digit ) ),
    Numbers as ( select ( ( Ten_3.Digit * 10 + Ten_2.Digit ) * 10 + Ten_1.Digit ) * 10 + Ten_0.Digit + 1 as Number
      from Digits as Ten_0 cross join Digits as Ten_1 cross join Digits as Ten_2 cross join Digits as Ten_3 ),
    cteTally(N) as ( select 0 union all select top ( DataLength( IsNull( @CSL, 1 ) ) ) 
      Row_Number() over ( order by ( select NULL ) ) from Numbers ),
    cteStart(N1) as ( select N + 1 from cteTally where Substring( @CSL, N, 1 ) = N',' OR N = 0 )
  select Item = Substring( @CSL, N1, IsNull( NullIf( CharIndex( N',', @CSL, N1 ), 0 ) - N1, 8000 ) )
    from cteStart;
go

create procedure [dbo].[SafeSqlSP_SelectGivenTableWithOptionalColFilter] 
  @ColumnList VarChar(75) = '*',
  @TableName SysName,
  @ColNameAsFilter1 VarChar(75) = NULL,
  @ColNameAsFilter2 VarChar(75) = NULL,
  @ColFilter1Val VarChar(75) = '',
  @ColFilter2Val VarChar(75) = ''       
as
  begin

  set nocount on;

  declare @Schema as SysName = 'dbo';

  -- Validate the table name.
  if not exists ( select 42 from Information_Schema.Tables where Table_Schema = @Schema and Table_Name = @TableName )
    begin
    RaIsError( '@TableName   does not reference a valid table or view.', 13, 0 );
    return;
    end;

  -- Validate and   QUOTENAME   the column list.
  declare @SelectList as NVarChar(1000);
  if @ColumnList = '*'
    set @SelectList = '*'
  else
    begin
    declare @Columns as Table ( ColumnName SysName );
    insert into @Columns
      select Item from dbo.SplitCSL( @ColumnList );
    if exists ( select 42 from @Columns as C left outer join
      Information_Schema.Columns as ISC on ISC.Table_Schema = @Schema and ISC.Table_Name = @TableName and ISC.Column_Name = C.ColumnName
      where ISC.Column_Name is NULL )
      begin
      RaIsError( '@ColumnList   references an invalid column in the table or view.', 13, 0 );
      return;
      end;
    -- Build a comma separated list ofquoted column names.
    select @SelectList = Stuff(
      ( select N',' + QuoteName( ColumnName ) from @Columns for XML path(''), type).value('.[1]', 'NVarChar(1000)' ),
      1, 1, '' );
    end;

  -- Validate the filter columns.
  if @ColNameAsFilter1 is not NULL and
    not exists ( select 42 from Information_Schema.Columns
      where Table_Schema = @Schema and Table_Name = @TableName and Column_Name = @ColNameAsFilter1 )
    begin
    RaIsError( '@ColNameAsFilter1   does not reference a valid column in the table or view.', 13, 0 );
    return;
    end;
  if @ColNameAsFilter2 is not NULL and
    not exists ( select 42 from Information_Schema.Columns
      where Table_Schema = @Schema and Table_Name = @TableName and Column_Name = @ColNameAsFilter2 )
    begin
    RaIsError( '@ColNameAsFilter2   does not reference a valid column in the table or view.', 13, 0 );
    return;
    end;

  -- Build the parameterized query.
  declare @SqlCommand as NVarChar(1000) =
    'select ' + @SelectList + ' from ' + QuoteName( @Schema ) + '.' + QuoteName( @TableName ) + case
    when @ColNameAsFilter1 is not NULL and @ColNameAsFilter2 is NULL
      then ' where ' + QuoteName( @ColNameAsFilter1 ) + ' = @ColFilter1Val'
    when @ColNameAsFilter1 is NULL and @ColNameAsFilter2 is not NULL
      then ' where ' + QuoteName( @ColNameAsFilter2 ) + ' = @ColFilter2Val'
    when @ColNameAsFilter1 is not NULL and @ColNameAsFilter2 is not NULL
      then ' where ' + QuoteName( @ColNameAsFilter1 ) + ' = @ColFilter1Val and ' + QuoteName( @ColNameAsFilter2 ) + ' = @ColFilter2Val'
    else ''
    end

  print 'SQL: ' + @SqlCommand; -- Debugging.

  declare @ParameterDefinitions as NVarChar(1000) = '@ColFilter1Val VarChar(75), @ColFilter2Val VarChar(75)';
  execute sp_ExecuteSql @SqlCommand, @ParameterDefinitions, @ColFilter1Val, @ColFilter2Val;

  end
go

调用该过程的 C# 代码如下所示:

using (SqlConnection sqlConnection = new SqlConnection(yourConnectionString))
{
    // Connect to the database.
    sqlConnection.Open();

    using (SqlCommand sqlCommand = new SqlCommand())
    {
        // Set up the stored procedure call.
        sqlCommand.Connection = sqlConnection;
        sqlCommand.CommandType = System.Data.CommandType.StoredProcedure;
        sqlCommand.CommandText = "SafeSqlSP_SelectGivenTableWithOptionalColFilter";
        sqlCommand.Parameters.AddWithValue("@ColumnList", "ShoeSize");
        sqlCommand.Parameters.AddWithValue("@TableName", "Employees");
        sqlCommand.Parameters.AddWithValue("@ColNameAsFilter1 ", "ManagerId");
        sqlCommand.Parameters.AddWithValue("@ColFilter1Val ", "42");

        // Execute the stored procedure.
        SqlDataReader reader = sqlCommand.ExecuteReader();

        // Process the results.
        while (reader.Read())
        {
            Debug.Print((string)reader["ShoeSize"]);
        }
        reader.Close();
    }
    sqlConnection.Close();
}
于 2013-07-10T04:03:55.587 回答