0

Analysis the sql comes from sql log only, trying to find out which sql statement has risk of sql injection. it is different from the perspective of application side check.

Tao
  • 1
  • 2
    Define "sql log". What component in the system is logging the SQL statement and what, exactly, is it logging? If you're looking for SQL injection, you'd be looking for cases where the application is dynamically assembling the SQL statement based on user input rather than using bind variables. Depending on what is logging the SQL and how it is being logged, that may be difficult. You could look for statements that include any literals but that may miss cases where SQL is dynamically assembled with bind variables and may include lots of SQL that is not subject to SQL injection. – Justin Cave Feb 18 '21 at 07:50
  • 1
    I agree with @JustinCave. The only way to really assess SQL injection exposure is to analyze how the SQL is constructed in the code. You won't be able to tell much just from looking at the finished product. – pmdba Feb 18 '21 at 11:49
  • One way of seeing a certain class of injection, not all of them, is to examine query plans in the cache with the same query_plan_hash but different query_hash – Charlieface Feb 18 '21 at 22:09
  • You need to audit your code, not the SQL statements running on the database. – Colin 't Hart Feb 20 '21 at 15:16

1 Answers1

2

Analysis the sql comes from sql log only, trying to find out which sql statement has risk of sql injection.

By the time the SQL reaches your database, it's probably too late to tell.

By the time the SQL reaches the sql log (having been executed), it's definitely too late!

If you see lots of placeholders ('?' or ':name'), then your SQL is using Prepared Statements and, therefore, is probably safe from SQL Injection.

If you see lots of literal values, your database has no way of knowing how they got there.
For example, both of the following would reach you looking exactly the same but, as you can clearly see, one is clearly vulnerable.

$sql = "update table1 set name = 'fred' where id = 76543 ";

$name = $_POST['name'];
$id =   $_POST['id'];
$sql =  "update table1 set name = '$name' where id = $id ";

SQL Injection is an Application problem. Plain and simple.
Point your Developers in the direction of this Accepted Answer, over on Software Engineering, particularly the Security section.

Phill W.
  • 8,706
  • 1
  • 11
  • 21