/* 취약ì 개요 SQL Injection URL 매개변수와 ê°™ì€ ì‚¬ìš©ìž ì œê³µ ë°ì´í„°ëŠ” í•ìƒ ì‹ ë¢°í• ìˆ˜ ì—†ê³ ì˜¤ì—¼ëœ ê²ƒìœ¼ë¡œ 간주ë˜ì–´ì•¼ 합니다. ì˜¤ì—¼ëœ ë°ì´í„°ì—ì„œ ì§ì ‘ SQL 쿼리를 구성하면 공격ìžê°€ 쿼리 ìžì²´ì˜ 초기 ì˜ë¯¸ë¥¼ 변경하는 특수하게 ì¡°ìž‘ëœ ê°’ì„ ì‚½ìž…í• ìˆ˜ 있습니다. 성공ì ì¸ ë°ì´í„°ë² ì´ìŠ¤ 쿼리 주입 ê³µê²©ì€ ë°ì´í„°ë² ì´ìŠ¤ì—ì„œ 민ê°í•œ ì •ë³´ë¥¼ ì½ê±°ë‚˜ ìˆ˜ì •í•˜ê±°ë‚˜ ì‚ì œí• ìˆ˜ 있으며 때로는 ë°ì´í„°ë² ì´ìŠ¤ë¥¼ 종료하거나 ìž„ì˜ì˜ ìš´ì˜ ì²´ì œ ëª…ë ¹ì„ ì‹¤í–‰í• ìˆ˜ë„ ìžˆìŠµë‹ˆë‹¤. ì¼ë°˜ì 으로 ì†”ë£¨ì…˜ì€ ì¤€ë¹„ëœ ëª…ë ¹ë¬¸ì„ ì‚¬ìš©í•˜ê³ setString, 와 ê°™ì€ ì „ìš© 메서드를 사용하여 변수를 SQL 쿼리 ë§¤ê°œë³€ìˆ˜ì— ë°”ì¸ë”©í•˜ì—¬ 사용ìžê°€ ì œê³µí•œ ë°ì´í„°ê°€ ì ì ˆí•˜ê²Œ ì´ìŠ¤ì¼€ì´í”„ë˜ë„ë¡ í•˜ëŠ” 것입니다. ë˜ ë‹¤ë¥¸ ì†”ë£¨ì…˜ì€ ì¿¼ë¦¬ë¥¼ 작성하는 ë° ì‚¬ìš©ë˜ëŠ” ëª¨ë“ ë§¤ê°œë³€ìˆ˜ì˜ ìœ íš¨ì„±ì„ ê²€ì‚¬í•˜ëŠ” 것입니다. ì´ê²ƒì€ 문ìžì—´ ê°’ì„ ê¸°ë³¸ ìœ í˜•ìœ¼ë¡œ 변환하거나 í—ˆìš©ëœ ê°’ì˜ í™”ì´íŠ¸ë¦¬ìŠ¤íŠ¸ì— 대해 ìœ íš¨ì„±ì„ ê²€ì‚¬í•˜ì—¬ ë‹¬ì„±í• ìˆ˜ 있습니다. ì´ ê·œì¹™ì€ JDBC, Java EE Entity Manager, Spring Framework, Hibernate, JDO, Android ë°ì´í„°ë² ì´ìŠ¤, Apache Torque, Apache Turbine, MyBastis, Rapidoid를 지ì›í•©ë‹ˆë‹¤. */ // Noncompliant Code Example public boolean authenticate(javax.servlet.http.HttpServletRequest request, java.sql.Connection connection) throws SQLException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = '" + user + "' AND pass = '" + pass + "'"; // Unsafe // If the special value "foo' OR 1=1 --" is passed as either the user or pass, authentication is bypassed // Indeed, if it is passed as a user, the query becomes: // SELECT * FROM users WHERE user = 'foo' OR 1=1 --' AND pass = '...' // As '--' is the comment till end of line syntax in SQL, this is equivalent to: // SELECT * FROM users WHERE user = 'foo' OR 1=1 // which is equivalent to: // SELECT * FROM users WHERE 1=1 // which is equivalent to: // SELECT * FROM users java.sql.Statement statement = connection.createStatement(); java.sql.ResultSet resultSet = statement.executeQuery(query); // Noncompliant return resultSet.next(); } // Compliant Solution public boolean authenticate(javax.servlet.http.HttpServletRequest request, java.sql.Connection connection) throws SQLException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); // Safe even if authenticate() method is still vulnerable to brute-force attack in this specific case String query = "SELECT * FROM users WHERE user = ? AND pass = ?"; // PreparedStatement ë°©ì‹ìœ¼ë¡œ SQL ì¿¼ë¦¬ë¬¸ì„ ê³ ì •í•œ 후, user/pass 파ë¼ë¯¸í„°ì˜ ê°’ì„ setString 하면 ë³€ì¡°ëœ SQL ì¿¼ë¦¬ë¬¸ì´ ì‹¤í–‰ë˜ì§€ 않는 구조임. java.sql.PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, user); // Will be properly escaped statement.setString(2, pass); java.sql.ResultSet resultSet = statement.executeQuery(); return resultSet.next(); }