Shulou(Shulou.com)06/02 Report--

Editor to share with you how to avoid sql injection in Java, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Preface

Sql injection is the most common security vulnerability in web development. It can be used to obtain sensitive information from the database, use the characteristics of the database to add users, export files and other malicious operations, and even obtain the highest permissions of the database and even system users.

Reasons for sql injection:

The program does not effectively filter the user's input, which makes the attacker successfully submit the malicious SQL script to the server. after receiving, the program mistakenly executes the attacker's input as a part of the SQL statement, resulting in the original query logic being changed and the malicious SQL statement carefully constructed by the attacker.

For example, check the user information from the user table according to the user name admin and password 123

Select * from User where username = 'admin' and password =' 123'

The attacker maliciously modified the username parameter admin-- > xxxx or 1room1--

Select * from user where username = 'xxxx' or 1'-- and password = '123'

SQL-- is the comment mark, and if the above SQL is executed, it can allow an attacker to log in successfully without knowing any username and password. Therefore, it is very important to prevent sql injection

Methods to prevent sql injection:

Strictly restrict the operation rights of the database of Web applications, provide users who connect to the database with minimum permissions to meet their needs, and minimize the harm of injection attacks to the database.

Escape or code conversion of special characters entering the database

Check whether the data format of the parameter is legal (regular or special characters can be used to judge)

Pre-compiled SQL (PreparedStatement is used in Java), parameterized query mode to avoid SQL stitching

Use mybatis's "# {}" precompilation to process the passed-in values as strings

Use tools to detect SQL injection before release

Error message should not include SQL information output to Web page

Java effectively prevents SQL injection

1. Never trust the user's input. To check the user's input, you can use regular expressions, or limit the length; convert single quotes and double "-" and so on.

two。 Never use dynamically assembled sql, you can use parameterized sql or directly use stored procedures for data query and access.

3. Never use database connections with administrator privileges, and use separate database connections with limited permissions for each application.

4. Do not store confidential information directly, encrypt or hash passwords and sensitive information.

5. The applied exception information should give as few hints as possible, and it is best to wrap the original error message with custom error messages.

The above is all the contents of the article "how to avoid sql injection in Java". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.