Reputation: 659
How to avoid SQL injection risk when creating table dynamically?
Here is simple procedure that creates table from user provided input:
PROCEDURE `hackProcedure`(
IN tab_name VARCHAR(63))
BEGIN
IF (tab_name REGEXP '^[A-Za-z0-9 ]+$')
THEN
SET @StB = CONCAT('CREATE TABLE tab_name
(id INT(10) PRIMARY KEY NOT NULL UNIQUE AUTO_INCREMENT,
name VARCHAR(45),
guid VARCHAR(36));');
PREPARE statementB FROM @StB;
EXECUTE statementB;
DEALLOCATE PREPARE statementB;
ELSE
-- SIGNAL some error;
END IF;
#END
Before creating table I check that user input contains only alfa-numeric values, so to my understanding bad person trying to do an SQL injection on this procedure can not succeed because it is not possible to comment out the rest of the query nor add other columns. Is this safe or I am missing someting?
Upvotes: 0
Views: 403
Answers (1)
Reputation: 48367
Its not vulnerable because the code you've shown us uses a literal value for the table name - not the parameter. I think you wanted to do this:
CONCAT('CREATE TABLE ', tab_name, '
(id INT(10) PRIMARY KEY NOT NULL UNIQUE AUTO_INCREMENT,
name VARCHAR(45),
guid VARCHAR(36));');
Now, what if I call your function with...
dummy (id INT NOT NULL); DROP TABLE mysql.users; CREATE TABLE dummy2
?
It will fail because the semi-colon and brackets wull be rejected by the regex, but this is far from a robust solution.
Adding backtick quotes around the table name (as long as they are disallowed by the regex) is a slight improvement.
CONCAT('CREATE TABLE `', tab_name, '`
Upvotes: 2
Related Questions
- How can I prevent SQL injection with dynamic tablenames?
- can't create a table in mysql with dynamic sql
- How to create table dynamically at run time
- Create table dynamically from mysql query
- Table name changing to avoid SQL injection attack
- SQL database table creation with variable
- mysql create table dynamically
- Is it okay to dynamically create a MySQL table?
- Escaping SQL Data Types in a CREATE TABLE statement
- How To Avoid sql injections to existing code