SQLインジェクション対策について - ipa.go.jp

1 Copyright 2008 SQL 3. 4. Copyright 2008 1. SQL 2 Copyright 2008 3 SQL Copyright 2008 Real Money Trade (2008 5 7 )* *4* SQL 40 50% Copyright 2008 5 SQL ITpro SQL RMT RMT SQL SQL Copyright 2008 SQL 6 Copyright 2008 7 SQL Copyright 2008 2.

2 SQL 8 Copyright 2008 SQL SQL (RDBMS) 9 Copyright 2008 SQL IDjohnuserjohn SELECT * FROM user WHERE id= $ID SQL SELECT * FROM user WHERE id= john john IDjohn or A = A SELECT * FROM user WHERE id= john or A = A john or A = A 10 Copyright 2008 SQL (Prepared Statement) Perl DBI quote() PHP dbx_escape_string() s/'/''/g; 11 Copyright 2008 12 ' '' $p=foo'or 'a'='a SELECT * FROM a WHERE id='foo'' or ''a''=''a'; Copyright 2008 13 ( : Perl DBI) $sth = $dbh->prepare("SELECT id, name, tel, address, mail FROM usr WHERE uid=?)

3 AND passwd=?");$sth->execute($uid, $passwd); 6 SQL : #1 2008 14 DB Copyright 2008 SQL SQL 15 3 2008 3. 16 Copyright 2008 zSQL z z 17iLogScanner Copyright 2008 iLogScanner 18 2008 iLogScanner IPA OSS iPedia SQL 191. IPA OSS iPedia 2. 2008 1 6 3. iLogScanner (1) 123 (2) 0 4.

4 0 Copyright 2008 iLogScanner SQL - - 20 Copyright 2008 4. 21 Copyright 2008 SQL SQL iLogScanner 22 Copyright 2008 z - - z z TCP/IP 3 z 3 z 23 Copyright 2008 z z z z 24 Copyright 2008 25 z z (Phishing)

5 OS - Windows Microsoft Update - PDF Copyright 2008 26