Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to effectively avoid SQL injection vulnerabilities in Java". In daily operation, I believe many people have doubts about how to effectively avoid SQL injection vulnerabilities in Java. The editor consulted all kinds of information and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "how to effectively avoid SQL injection vulnerabilities in Java". Next, please follow the editor to study!

1. A simple and effective way is to use PreparedStatement

It uses a set of precompiled statements, which has the ability to handle SQL injection, as long as it uses its setXXX (e.g. setString) method to pass values.

Benefits:

(1)。 The readability and maintainability of the code become better.

(2). PreparedStatement improves performance as much as possible.

(3)。 The most important thing is that security is greatly improved.

Principle:

SQL injection only destroys the compilation process of SQL statements, but the compilation phase of PreparedStatement SQL statements is ready, and the execution phase only treats the input string as data, and no longer parses and prepares SQL statements, so the problem of SQL injection is avoided.

Some popular ORM frameworks also use PreparedStatement when dealing with SQL, such as MyBatis.

When using MyBatis, we should pay attention to: when the injection parameters are worthy, use # {xxx}, # {xxx} has enabled the precompilation function, before SQL execution, the above SQL will be sent to the database for compilation; when executing, directly use the compiled SQL to replace the placeholder "?" Just do it. Because SQL injection only works for the compilation process, this approach avoids the problem of SQL injection.

Parameters in the format "${xxx}" are directly involved in SQL compilation, so injection attacks cannot be avoided.

Sometimes some operations use this way, such as input tables, fuzzy matching, and so on. At this point, you can use bind+# {} to prevent SQL injection (# {} is precompiled, and the parameters passed are not compiled, but only as parameters, the equivalent of PreparedStatement).

The bind element can create a variable from the OGNL expression and bind it to the context. For example:

SELECT * FROM BLOG WHERE title LIKE # {pattern} 2, use filter

If we can't use PreparedStatement for all SQL statements, we can use filters to intercept these strings globally. In the filter, use regular expressions to filter incoming parameters. Use regular expressions to determine whether they match:

String begin= "your request parameter information"; / / you can configure these special characters through the configuration file to add some keywords at any time. String pattern= "| and | exec | execute | insert | select | delete | update | count | drop | * |% | chr | mid | master | truncate | char | declare | sitename | net user | xp_cmdshell; | or |-| + | like"; Pattern r = Pattern.compile (pattern); Matcher isMatch = r.matcher (begin); if (isMatch.find ()) {/ / dangerous request parameter} some suggestions to prevent sql injection

1. The best way for the code layer to prevent sql injection attacks is to precompile sql

Public List orderList (String studentId) {String sql = "select id,course_id,student_id,status from course where student_id =?"; return jdbcTemplate.query (sql,new Object [] {studentId}, new BeanPropertyRowMapper (Course.class));}

In this way, the parameter 4 or 1 = 1 we pass in will be treated as a student_id, so there will be no sql injection.

two。 Confirm the type of each data, such as a number, and the database must use the int type to store

3. Specify data length, which can prevent sql injection to some extent

4. Strict restriction of database permissions can minimize the harm of sql injection.

5. Avoid responding to some sql exception information directly. When an exception occurs in sql, the custom exception responds.

6. Filter some database keywords contained in the parameters

At this point, the study on "how to effectively avoid SQL injection vulnerabilities in Java" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.