当我在 PostgresSQL 中使用类似的东西时,我想知道我是否可以安全地防止 SQL 注入:
CREATE or REPLACE FUNCTION sp_list_name( VARCHAR )
RETURNS SETOF v_player AS '
DECLARE
v_start_name ALIAS FOR $1;
r_player v_player%ROWTYPE;
v_temp VARCHAR;
BEGIN
v_temp := v_start_name || ''%'';
FOR r_player IN
SELECT first_name, last_name FROM v_player WHERE last_name like v_temp
LOOP
RETURN NEXT r_player;
END LOOP;
RETURN;
END;
' LANGUAGE 'plpgsql' VOLATILE;
我想用这个函数列出以字母开头的玩家名字。
select * from sp_list_name( 'A' );
给我姓氏以 A 开头的玩家。
我试图注入sql
select * from sp_list_name( 'A; delete from t_player;--' );
select * from sp_list_name( '''; delete from t_player;--' );
我安全吗?
哪种情况可以注射?
问候