4.1.8. Precompile

4.1.8.1. Introduction

SQL injection is caused by the interpreter executing the incoming data as a command, and precompiling is a way to solve this problem. Different from the ordinary execution process, precompilation completes a query through two interactions. The first interaction sends the template of the query statement, which is parsed into AST or Opcode by the back-end SQL engine, and the second interaction sends data, which is substituted into AST or Executed in Opcode. Because the parsing of the grammar has been completed at this point, the process of obfuscating data and code will no longer occur.

4.1.8.2. Simulate precompilation

In order to prevent the low-version database from supporting pre-compilation, simulated pre-compilation will simulate the process of parameter binding inside the client and perform custom escaping.

4.1.8.3. Bypass

4.1.8.3.1. Precompile usage errors

Precompilation is only the part of the field value replaced by placeholders. If the command passed in the first interaction uses string concatenation, so that the command is controllable by the attacker, precompilation will not take effect.

4.1.8.3.2. Some parameters are not precompiled

In some cases, the database processing engine will check whether the data table and data column exist, so the data table name and column name cannot be replaced by placeholders. In this case, if the table and column names are controllable, vulnerabilities may be introduced.

4.1.8.3.3. Precompiled Implementation Errors

Some language engines have certain problems in implementation, and there may be bypass loopholes.