Shulou(Shulou.com)06/01 Report--

Why does precompilation prevent sql injection? In view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

Why precompilation can prevent sql injection: after precompilation, the sql statement has been analyzed, compiled and optimized by the database, and the database is allowed to query in a parameterized form, so even if there are sensitive characters, the database will be treated as attribute values rather than sql instructions.

As we all know, there is a preprocessing function in JDBC in java. One of the major advantages of this function is that it can improve the execution speed, especially when operating the database many times, and another advantage is to prevent SQL injection. Strictly speaking, it should prevent the vast majority of SQL injection.

The usage is as follows:

String sql= "update cz_zj_directpayment dp" + "set dp.projectid =? where dp.payid=?"; try {PreparedStatement pset_f = conn.prepareStatement (sql); pset_f.setString (1 Magi inds [j]); pset_f.setString (2 Magi id); pset_f.executeUpdate (sql_update);} catch (Exception e) {/ / e.printStackTrace (); logger.error (e.message ());}

So why does it do this to prevent SQL injection and improve security? In fact, because the SQL statement has been precompiled before the program runs, before the program operates on the database for the first time, the SQL statement has been analyzed, compiled and optimized by the database, and the corresponding execution plan is also cached and allows the database to query in a parameterized form. When parameters are dynamically passed to PreprareStatement at run time Even if there are sensitive characters such as or '1room1' in the parameter, the database will be treated as the attribute value of a parameter field rather than as a SQL instruction, so it plays the role of SQL injection!

This is the answer to the question about why precompilation can prevent sql injection. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.