Shulou(Shulou.com)05/31 Report--

How to effectively prevent sql injection? Many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can gain something.

@ RestControllerpublic class Controller {@ Autowired SqlInject sqlInject; @ GetMapping ("list") public List courseList (@ RequestParam ("studentId") String studentId) {List orders = sqlInject.orderList (studentId); return orders;}} @ Servicepublic class SqlInject {@ Autowired private JdbcTemplate jdbcTemplate; public List orderList (String studentId) {String sql = "select id,course_id,student_id,status from course where student_id =" + studentId; return jdbcTemplate.query (sql,new BeanPropertyRowMapper (Course.class));}}

Demonstration of two injection attacks

1. Under normal circumstances, you only need to input student_id to query a student's selected courses and completion, and the relevant data can be found.

Based on the response result, we will soon be able to write the corresponding sql, as follows:

Select id,course_id,student_id,status from course where student_id = 4

two。 If we want to get all the data in this table, we just need to make sure that the where condition of the above sql is true.

Select id,course_id,student_id,status from course where student_id = 4 or 1 = 1

Set studendId to 4 or 1 = 1 when requesting the interface, so that the where condition of this sql is always true. Sql is also equivalent to the following

Select id,course_id,student_id,status from course

The result of the request is as follows. We got all the data from this table.

3. Query mysql version number and use union to concatenate sql

Union select 1 dint version (), 1

4. Query database name

Union select 1 database (), 1

5. Query all libraries for the current user of mysql

Union select 1, (SELECT GROUP_CONCAT (schema_name) FROM information_schema.schemata) schemaName,1

After watching the above demonstrations, are you scared? All your data configurations are completely exposed, and in addition, you can do a lot of things, such as updating data, deleting libraries, deleting tables, and so on.

How to prevent sql injection

1. The best way for the code layer to prevent sql injection attacks is to precompile sql

Public List orderList (String studentId) {String sql = "select id,course_id,student_id,status from course where student_id =?"; return jdbcTemplate.query (sql,new Object [] {studentId}, new BeanPropertyRowMapper (Course.class));}

In this way, the parameter 4 or 1 = 1 we pass in will be treated as a student_id, so there will be no sql injection.

two。 Confirm the type of each data, such as a number, and the database must use the int type to store

3. Specify data length, which can prevent sql injection to some extent

4. Strict restriction of database permissions can minimize the harm of sql injection.

5. Avoid responding to some sql exception information directly. When an exception occurs in sql, the custom exception responds.

6. Filter some database keywords contained in the parameters

@ Componentpublic class SqlInjectionFilter implements Filter {@ Override public void doFilter (ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {HttpServletRequest req= (HttpServletRequest) servletRequest; HttpServletRequest res= (HttpServletRequest) servletResponse; / / get all request parameter names Enumeration params = req.getParameterNames (); String sql = ""; while (params.hasMoreElements ()) {/ / get the parameter name String name = params.nextElement (). ToString () / / get the corresponding parameter values String [] value = req.getParameterValues (name); for (int I = 0; I)

< value.length; i++) { sql = sql + value[i]; } } if (sqlValidate(sql)) { throw new IOException("您发送请求中的参数中含有非法字符"); } else { chain.doFilter(servletRequest,servletResponse); } } /** * 关键词校验 * @param str * @return */ protected static boolean sqlValidate(String str) { // 统一转为小写 str = str.toLowerCase(); // 过滤掉的sql关键字，可以手动添加 String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" + "char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|" + "table|from|grant|use|group_concat|column_name|" + "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#"; String[] badStrs = badStr.split("\\|"); for (int i = 0; i < badStrs.length; i++) { if (str.indexOf(badStrs[i]) >

= 0) {return true;}} return false;}} is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.