I just met a developer who prepended every table and column name in his MYSQL databases with an underscore (e.g. _users, _name, _active). When I questioned the practice he stated that this helps prevent SQL injection attacks - I have never come across this practice/advice before. How does it help to prevent SQL injection attacks?
我刚认识了一个开发人员,他在MYSQL数据库中使用下划线(例如_users,_name,_active)添加了每个表和列名称。当我质疑这种做法时,他说这有助于防止SQL注入攻击 - 我之前从未遇到过这种做法/建议。它如何有助于防止SQL注入攻击?
2 个解决方案
#1
29
No.
没有。
His thinking goes "If the attacker doesn't know the name of my tables, then the attacker can't mess with them." However, you're still vulnerable to SQL injection, and the attacker can still cause arbitrary system calls, perhaps to well-known system tables. What if he adds some SQL code that causes very long queries against a system table that bogs down your server?
他的想法是“如果攻击者不知道我的桌子的名字,那么攻击者就不会搞砸他们。”但是,您仍然容易受到SQL注入攻击,并且攻击者仍然可能导致任意系统调用,可能是众所周知的系统表。如果他添加一些SQL代码导致对系统表进行非常长的查询会导致服务器陷入困境怎么办?
Security through obscurity is no security at all.
通过默默无闻的安全根本不是安全。
#2
4
_this, _ here has no relation to security ,with that it can be vulnerable
_this,_这里与安全无关,因为它可能是脆弱的
Good read
好读
Best way to prevent SQL injection?
防止SQL注入的最佳方法?
#1
29
No.
没有。
His thinking goes "If the attacker doesn't know the name of my tables, then the attacker can't mess with them." However, you're still vulnerable to SQL injection, and the attacker can still cause arbitrary system calls, perhaps to well-known system tables. What if he adds some SQL code that causes very long queries against a system table that bogs down your server?
他的想法是“如果攻击者不知道我的桌子的名字,那么攻击者就不会搞砸他们。”但是,您仍然容易受到SQL注入攻击,并且攻击者仍然可能导致任意系统调用,可能是众所周知的系统表。如果他添加一些SQL代码导致对系统表进行非常长的查询会导致服务器陷入困境怎么办?
Security through obscurity is no security at all.
通过默默无闻的安全根本不是安全。
#2
4
_this, _ here has no relation to security ,with that it can be vulnerable
_this,_这里与安全无关,因为它可能是脆弱的
Good read
好读
Best way to prevent SQL injection?
防止SQL注入的最佳方法?