Shulou(Shulou.com)05/31 Report--

Editor to share with you what SQL injection refers to, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to understand it!

SQL injection 1. What is SQL injection

Take a look at the following case scenario, which is a normal login scenario:

When we use the user name': -, you can log in to ↓ if you enter your password at will.

At this time, by comparing the two sql, you can find that the user ends the internal sql ahead of time through the sql symbol written in the user name, and annotates the second half of the search conditions to achieve the password-free login effect.

Sql injection is that I am the only one who can operate the database. I just ask you to type in the content and leave, but you enter the command to operate the database without my knowledge.

two。 Repair of vulnerabilities

The cosmetic situation occurs because the above sql uses dynamic stitching, so the way sql is passed in may change the semantics of sql.

Dynamic stitching is the mixed use of java variables and sql statements in java: select * from user where userName=' "+ userName+" 'and password =' "+ password"'

So to use the parameterized sql of preparedStatement, by determining the semantics first, and then passing in the parameters, the semantics of the sql will not be changed because of the passed parameters. (pass in parameters via setInt,setString,setBoolean)

3. Parameterized sql use case / / establish data connection conn=ds.getConnection (); / / 1. Set prepareStatement's placeholder sql statement PreparedStatement ptmt = conn.prepareStatement ("select * from user where userName =? and password =?"); ptmt.setString (1, "Zhang San"); / / 2. Set parameters ptmt.setString (2, "123456"); rs=ptmt.executeQuery (); while (rs.next ()) {System.out.println ("login successful"); return;} System.out.println ("login failed")

Parameterized features:

1. Set up preparedStatement sql statements with placeholders

How statement executes the sql statement:

Stmt=conn.createStatement (); rs=stmt.executeQuery ("select userName from user")

two。 Set parameters

PerparedStatement inherits from Statement, and the features that make it parameterized sql are mainly used here.

Transfer to: https://blog.csdn.net/qq_30258957/article/details/78145885

Plus: 1. All PreparedStatement extends Statement is used to execute SQL.

2.Statement is suitable for static (unconditional) SQL PreparedStatement is suitable for dynamic (conditional) SQL

3.PreparedStatement can avoid injection attacks.

The above is all the content of this article "what does SQL injection mean?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.