Shulou(Shulou.com)06/03 Report--

In this issue, the editor will bring you about what methods can effectively deal with SQL injection attacks. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

The effective way to deal with SQL injection attacks is PreparedStatement (precompiled statement set). The precompiled statement set has built-in ability to handle SQL injection, and we just need to use its setxxx method to pass values.

1. (simple and effective method) PreparedStatement

A set of precompiled statements is used, which has the built-in ability to handle SQL injection, as long as it uses its setXXX method to pass values.

Benefits of use:

(1) readability and maintainability of the code.

(2) PreparedStatement improves the performance as much as possible.

(3) the most important point is that the security is greatly improved.

Principle:

Sql injection only destroys the preparation (compilation) process of sql statements, but PreparedStatement is ready, and the execution phase only treats the input string as data, and no longer parses and prepares sql statements, so the problem of sql injection is avoided.

2. Use regular expressions to filter incoming parameters

Packages to be introduced:

Import java.util.regex.*

Regular expression:

Private String CHECKSQL = "^ (. +)\\ sand\\ s (. +) | (. +)\\ sor (. +)\\ s $"

Determine if there is a match:

Pattern.matches (CHECKSQL,targerStr)

Here are the specific regular expressions:

Detect the regular expression of SQL meta-characters: / (\% 27) | (\') | (\ -) | (\% 23) | (#) / ix

Fixed the regular expression for detecting SQL meta-characters: / ((\% 3D) | (=)) [^\ n] * ((\% 27) | (\') | (\ -) | (\% 3B) | (:)) / I

Regular expression for a typical SQL injection attack: /\ w * ((\% 27) | (\')) ((\% 6F) | o | (\% 4F)) ((\% 72) | r | (\% 52)) / ix

Detect SQL injection. Regular expression of UNION query keyword: / (\% 27) | (\') union/ix (\% 27) | (\')

Regular expression for detecting MS SQL Server SQL injection attacks: / exec (\ s |\ +) + (s | x) p\ w+/ix

Wait... ..

3. String filtering

A more general method:

(| | parameters can be added according to the needs of your own program)

Public static boolean sql_inj (String str) {String inj_str = "'| and | exec | insert | select | delete | update | * |% | chr | mid | master | truncate | char | declare |; or |-| + |,"; String inj_stra [] = split (inj_str, "|"); for (int iTun0; I)

= 0) {return true;}} return false;}

4. Call this function in jsp to check whether the package is illegal.

Prevent SQL from injecting from URL:

Sql_inj.java Code:

Package sql_inj;import java.net.*;import java.io.*;import java.sql.*;import java.text.*;import java.lang.String;public class sql_inj {public static boolean sql_inj (String str) {String inj_str = "'| and | exec | insert | select | delete | count | * |% | chr | mid | master | truncate | char | declare |; | or |-| + |,"; / / you can also add String [] inj_stra=inj_str.split ("\\ |"); for (int item0; I)

= 0) {return true;}} return false;}} these are the methods shared by Xiaobian that can effectively deal with SQL injection attacks. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.