0

Read almost all the post on this but could not judge whether my procedures are vulnarable or not? Any help is appreciated.

1)calling Procedure as: 

$query = ($is_mine?'call dispatch.dis_get_my_assigned_tasks("'.$username.'");'

Procedure :

CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_all_assigned_tasks`()
BEGIN    
    select distinct at_id, at_issues, at_location, at_room_number, user_fname, 
        from dispatch.dis_assigned_tasks 
        left outer join dispatch.dis_users 
        on user_id  = at_user
    order by at_location, at_user_pickup_timestamp  desc; 
END

2) calling Procedure as :

$query = "call dispatch.dis_get_user_info('".$username."');";

Procedure :

CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_user_info`(IN username VARCHAR(45))
BEGIN    
    select * from dispatch.dis_users where user_username = username;
END
4

1 回答 1

0

这些过程不容易受到 SQL 注入的影响,您的查询却是。

要防止(并了解)SQL 注入,请参阅我们的参考问题:

对于“几乎所有关于此的帖子”,您说您已阅读它看起来他们没有很好地涵盖该主题。我建议你选择更好的材料来接受教育。

于 2013-08-28T19:31:03.813 回答