###### tags: `2020 Kali讀書會-資安小聚` 你知道後端仔是如何阻礙你的 SQL injection 的嗎? === [TOC] ## 演講者資訊 Sponge/郭彥廷 - 曾任資料庫設計師(DBD) - 現任後端工程師(Back-end) :::info 補充 NoSQL Injection Payload https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#mongodb-payloads Nosqlmap (tool) https://github.com/codingo/NoSQLMap ::: --- ### ORM 對象關係映射 效能較差 仍有風險(ORM Injection) [ORM n+1 selects problem](https://stackoverflow.com/questions/97197/what-is-the-n1-selects-problem-in-orm-object-relational-mapping) --- [linq2db] lInq2db、EF、Dapper 查詢大量資料效能比較 https://dotblogs.com.tw/yc421206/2019/03/13/query_large_data_compare_ef_dapper_linq2db Dapper vs EF Core Query Performance Benchmarking https://exceptionnotfound.net/dapper-vs-entity-framework-core-query-performance-benchmarking-2019/ Entity Framework Core 2 Vs Dapper Performance Benchmark https://medium.com/@engr.mmohsin/entity-framework-core-2-dapper-performance-benchmark-c29e8cce9e1b SQL Stored Procedures for SQL Server https://www.w3schools.com/sql/sql_stored_procedures.asp How does stored procedure prevents SQL injection? -> Stored procedures are not immune to SQL injection under some condition. https://security.stackexchange.com/questions/68701/how-does-stored-procedure-prevents-sql-injection 預存程序 https://zh.wikipedia.org/zh-tw/%E5%AD%98%E5%82%A8%E7%A8%8B%E5%BA%8F