輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
...
String squery = "for \$user in doc(users.xml)//user[username='" + Request["username"] + "'and pass='" + Request["password"] + "'] return \$user";
Processor processor = new Processor();
XdmNode indoc = processor.NewDocumentBuilder().Build(new Uri(Server.MapPath("users.xml")));
StreamReader query = new StreamReader(squery);
XQueryCompiler compiler = processor.NewXQueryCompiler();
XQueryExecutable exp = compiler.Compile(query.ReadToEnd());
XQueryEvaluator eval = exp.Load();
eval.ContextItem = indoc;
Serializer qout = new Serializer();
qout.SetOutputProperty(Serializer.METHOD, "xml");
qout.SetOutputProperty(Serializer.DOCTYPE_PUBLIC, "-//W3C//DTD XHTML 1.0 Strict//EN");
qout.SetOutputProperty(Serializer.DOCTYPE_SYSTEM, "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd");
qout.SetOutputProperty(Serializer.INDENT, "yes");
qout.SetOutputProperty(Serializer.OMIT_XML_DECLARATION, "no");
qout.SetOutputWriter(Response.Output);
eval.Run(qout);
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user
username
或 password
沒有包含單引號字元的時候,查詢才會正確執行。如果攻擊者為 username
輸入字串 admin' or 1=1 or ''='
,那麼查詢將會變更為:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$user
admin' or 1=1 or ''='
會使 XQuery 運算式的評估永遠為 True,所以此查詢在邏輯上可等同於以下較簡化的查詢://user[username='admin']
...
XQDataSource xqs = new XQDataSource();
XQConnection conn = xqs.getConnection();
String query = "for \$user in doc(users.xml)//user[username='" + request.getParameter("username") + "'and pass='" + request.getParameter("password") + "'] return \$user";
XQPreparedExpression xqpe = conn.prepareExpression(query);
XQResultSequence rs = xqpe.executeQuery();
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user
username
或 password
沒有包含單引號字元的時候,查詢才會正確執行。如果攻擊者為 username
輸入字串 admin' or 1=1 or ''='
,那麼查詢將會變更為:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$user
admin' or 1=1 or ''='
會使 XQuery 運算式的評估永遠為 True,所以此查詢在邏輯上可等同於以下較簡化的查詢://user[username='admin']
...
$memstor = InMemoryStore::getInstance();
$z = Zorba::getInstance($memstor);
try {
// get data manager
$dataman = $z->getXmlDataManager();
// load external XML document
$dataman->loadDocument('users.xml', file_get_contents('users.xml'));
// create and compile query
$express =
"for \$user in doc(users.xml)//user[username='" . $_GET["username"] . "'and pass='" . $_GET["password"] . "'] return \$user"
$query = $zorba->compileQuery($express);
// execute query
$result = $query->execute();
?>
...
for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user
username
或 password
沒有包含單引號字元的時候,查詢才會正確執行。如果攻擊者為 username
輸入字串 admin' or 1=1 or ''='
,那麼查詢將會變更為:for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$user
admin' or 1=1 or ''='
會使 XQuery 運算式的評估永遠為 True,所以此查詢在邏輯上可等同於以下較簡化的查詢://user[username='admin']