Create database triggers with sql-injection without stacked queries
Currently im working on a research paper about sql-injection with RFID tags and Im curious if it is possible to create a database trigger with an s开发者_StackOverflow中文版ql injections if stacked queries are disabled. If stacked queries are enabled, of course it is easy (assuming you know the table layout), but what if they're disabled for security reasons.
The question is if it is possible to create a trigger, given that there is an SQL injection. Database does not matter, choose one that fits the needs.
What database are looking for? In PostgreSQL every trigger calls a stored procedure. Inside a stored procedure, you can execute dynamic queries if you want. If you don't do anything against SQL injection, not using quote_ident() and/or quote_literal(), your procedure is vulnerable to SQL injection. That's your own choice.
Userinput can never be trusted, so why the worry about RFID input? It's input, therefore it can't be trusted.
精彩评论