Transcription of 安全な SQLの 呼び出し方 - ipa.go.jp
1 2010 3 SQL URL SQL .. 2 .. 3 1.. 4 2. SQL .. 5 SQL .. 5 .. 5 .. 6 .. 6 SQL .. 7 SQL .. 7 SQL .. 8 SQL .. 8 3. SQL .. 9 SQL .. 9 SQL .. 9 .. 10 .. 11 .. 12 4. SQL .. 13 quote .. 13 .. 14 5. DBMS .. 16 .. 16 Java + Oracle .. 16 .. 17 PHP + PostgreSQL.
2 18 .. 19 Perl + MySQL .. 21 .. 21 .. 21 quote .. 21 .. 22 .. 23 Java + MySQL .. 25 .. 25 .. 25 .. 25 .. 26 + Microsoft SQL Server .. 27 .. 28 .. 30 A.. 31 .. 31 Shift_JIS SQL .. 32 Unicode SQL .. 33 Oracle Unicode .. 35 Microsoft SQL Server .. 36 3 2005 SQL 9 SQL SQL SQL SQL
3 DBMS SQL SQL 1. 1. 4 SQL 1)-2 SQL 1) SQL SQL ' '' \ \\ SQL 4 5 7 SQL SQL SQL SQL SQL
4 DBMS SQL DBMS SQL SQL SQL 4 2. SQL 2. SQL SQL SQL SQLSELECT a,b,c FROM atable WHERE name='YAMADA' and age>=20 SQL SELECT FROM WHERE AND = >= , a b c atable name age 'YAMADA' 20 SQL employee_id 052312 SQL SQLSELECT name, age FROM employee WHERE employee_id = '052312' SQL '052312' SQL20 -17 0 +23 5 2.
5 SQL SQL' ' '052312' 'O''Reilly' SQLDATE '2009-11-04' TIME '13:59:26' O'Reilly SQL SQL SQLSELECT * FROM employee WHERE name = 'O'Reilly' 'O' Reilly' SQL SQL SQLSELECT * FROM employee WHERE name = 'O''Reilly'
6 6 2. SQL (+) (-) 1 0 9 SQL JIS/ISO (JIS X 3005 ISO/IEC 9075) SQL JIS/ISO SQLSELECT * FROM employee WHERE age >= 25--comment SQL JIS/ISO SQLSELECT * FROM employee WHERE age >= 25and age <= 60 25 and Microsoft SQL Server PostgreSQL SQL SQL SQL SQL SQL SQL Perl SQL SQL SQL id $id
7 Perl Perl$q = "SELECT * FROM atable WHERE id='$id'"; $id ';DELETE FROM atable-- 7 2. SQL 8 SQL SQLSELECT * FROM atable WHERE id='';DELETE FROM atable--' SELECT DELETE -- SQL SQL SQL SQL SQL Perl PHP id $id Perl$q = "SELECT * FROM atable WHERE id=$id"; SQL $id 0.
8 DELETE FROM atable SQL SQLSELECT * FROM atable WHERE id=0;DELETE FROM atable SELECT DELETE SQL SQL SQL 3 3. SQL 3. SQL SQL SQL 2 SQL SQL SQL SQL CGI name SQL PHP SQL PHP $name = $_POST['name']; //.
9 $sql = "SELECT * FROM employee WHERE name='" . $name . "'"; PHP $name SQL SQLSELECT * FROM employee WHERE name=' ' SQL $name $name SQL ? Java JavaPreparedStatement prep = ("SELECT * FROM employee WHERE name=?"); (1, " "); 9 3. SQL ? 2 JIS/ISO (Prepared Statement)
10 SQL SQL SQL SQL SELECT *FROM tableWHEREid = and passwd = =satou, =a15T =satou, =a15 TSELECT *FROM table WHEREid = satou and passwd = a15T SELECT *FROM tableWHEREid = and passwd = =takana, =vRi5 =takana, =vRi5 SELECT *FROM table WHEREid = takana and passwd = vRi5 SQL SQL SQL SQL SQL 10 3.
