在我们的一个系统(名为bibapp的开源发布数据库)上尝试了sql注入
https://github.com/BibApp/BibApp
)它导致此错误报告:
A ActionView::Template::Error occurred in publications#index:
Mysql::Error: Column 'authority_id' in where clause is ambiguous: SELECT `publications`.`id` AS t0_r0, `publications`.`sherpa_id` AS t0_r1, `publications`.`publisher_id` AS t0_r2, `publications`.`source_id` AS t0_r3, `publications`.`authority_id` AS t0_r4, `publications`.`name` AS t0_r5, `publications`.`url` AS t0_r6, `publications`.`code` AS t0_r7, `publications`.`issn_isbn` AS t0_r8, `publications`.`created_at` AS t0_r9, `publications`.`updated_at` AS t0_r10, `publications`.`place` AS t0_r11, `publications`.`machine_name` AS t0_r12, `publications`.`initial_publisher_id` AS t0_r13, `publishers`.`id` AS t1_r0, `publishers`.`sherpa_id` AS t1_r1, `publishers`.`publisher_source_id` AS t1_r2, `publishers`.`authority_id` AS t1_r3, `publishers`.`publisher_copy` AS t1_r4, `publishers`.`name` AS t1_r5, `publishers`.`url` AS t1_r6, `publishers`.`romeo_color` AS t1_r7, `publishers`.`copyright_notice` AS t1_r8, `publishers`.`created_at` AS t1_r9, `publishers`.`updated_at` AS t1_r10, !
`publishers`.`machine_name` AS t1_r11, `works`.`id` AS t2_r0, `works`.`type` AS t2_r1, `works`.`title_primary` AS t2_r2, `works`.`title_secondary` AS t2_r3, `works`.`title_tertiary` AS t2_r4, `works`.`affiliation` AS t2_r5, `works`.`volume` AS t2_r6, `works`.`issue` AS t2_r7, `works`.`start_page` AS t2_r8, `works`.`end_page` AS t2_r9, `works`.`abstract` AS t2_r10, `works`.`notes` AS t2_r11, `works`.`links` AS t2_r12, `works`.`work_state_id` AS t2_r13, `works`.`work_archive_state_id` AS t2_r14, `works`.`publication_id` AS t2_r15, `works`.`publisher_id` AS t2_r16, `works`.`archived_at` AS t2_r17, `works`.`created_at` AS t2_r18, `works`.`updated_at` AS t2_r19, `works`.`original_data` AS t2_r20, `works`.`batch_index` AS t2_r21, `works`.`scoring_hash` AS t2_r22, `works`.`publication_date` AS t2_r23, `works`.`language` AS t2_r24, `works`.`copyright_holder` AS t2_r25, `works`.`peer_reviewed` AS t2_r26, `works`.`machine_name` AS t2_r27, `works`.`publication_place` AS t2_r28, `works!
`.`sponsor` AS t2_r29, `works`.`date_range` AS t2_r30, `works`!
.`identifier` AS t2_r31, `works`.`medium` AS t2_r32, `works`.`degree_level` AS t2_r33, `works`.`discipline` AS t2_r34, `works`.`instrumentation` AS t2_r35, `works`.`admin_definable` AS t2_r36, `works`.`user_definable` AS t2_r37, `works`.`authority_publication_id` AS t2_r38, `works`.`authority_publisher_id` AS t2_r39, `works`.`initial_publication_id` AS t2_r40, `works`.`initial_publisher_id` AS t2_r41, `works`.`location` AS t2_r42, `works`.`invited` AS t2_r43, `works`.`open_access` AS t2_r44 FROM `publications` LEFT OUTER JOIN `publishers` ON `publishers`.`id` = `publications`.`publisher_id` LEFT OUTER JOIN `works` ON `works`.`publication_id` = `publications`.`id` AND work_state_id = 3 WHERE (publications.id = authority_id) AND (upper(name) like '(SELECT 1795 FROM(SELECT COUNT(*),CONCAT(0x716b6b6a71,(SELECT (ELT(1795=1795,1))),0x7178767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)%') ORDER BY upper(name)
activerecord (3.0.17) lib/active_record/connection_adapters/mysql_adapter.rb:289:in `query'
我想知道这里的“mysql::error”是什么意思(编辑:不是与不明确列相关的实际sql错误,请阅读下一行)。特别是我想知道这个查询是否在数据库上运行。我可以说,至少它失败了,但我不能确切地告诉在哪里。我认为rails在向数据库发送查询之前有防止sql注入的方法,但这失败了吗?bibapp运行的是非常老的ruby和rails版本,分别是1.8.7和3.0.17。
另外,如果数据库只记录长时间运行的查询,我如何检查数据库是否受到攻击?
