Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to solve SQL injection, which has certain reference value, and friends who need it can refer to it. Take a look at it with me.

What is SQL Injection?

Take a look at the definition of Baidu:

Ah, what a long paragraph of text, a little do not want to see, the following through an example, to illustrate what SQL injection is:

Create a new database, create another table, and add two rows of data:

use db1;create table user( id int primary key auto_increment, username varchar(32), password varchar(32));insert into user values(null,'zhangsan','123');insert into user values(null,'lisi','234');

The table is shown below:

Then casually write a login operation with JDBC:

package com.wzq.jdbc;import com.wzq.util.JDBCUtils;import java.sql.Connection;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;import java.util.Scanner;/* * Requirements: * 1. Enter your username and password * * */public class JDBCDemo05 { public static void main(String[] args) { Scanner cin = new Scanner(System.in); System.out.println("Please enter user name: "); String username = cin.nextLine(); System.out.println("Please enter password: "); String password = cin.nextLine(); boolean res = new JDBCDemo05().login(username, password); if (res) System.out.println("Login successful! "); else System.out.println("Login failed! "); } public boolean login(String username, String password) { if (username == null || password == null) { return false; } Connection conn = null; Statement stmt = null; ResultSet rs = null; try { //1. Get database connection conn = JDBCUtils.getConnection(); //JDBCUtils utility class //2, define sql String sql = "select * from user where username = '" + username + "' and password = '" + password + "'"; //3. Get the object that executes sql stmt = conn.createStatement(); //4, execute sql rs = stmt.executeQuery(sql); return rs.next(); } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.close(rs, stmt, conn); } return false; }}

Test it:

As you can see, the normal test has no problems, now using SQL injection:

Enter the name of the account and password: a' or 'a'='a

To his surprise, he had successfully logged in. Let's look at SQL:

select * from user where username = 'askjdhjksahd' and password = 'a' or 'a' = 'a'

You can see that the condition after where, no matter what the result is true, will output the whole table:

Therefore, in summary: in sql splicing, there are some sql special keywords involved in string splicing, which will cause security problems, which is why the above can be successfully logged in.

So how do we solve this problem?

A: Use the Prepared Statement object instead of the Statement object.

The PreparedStatement object is a subclass of the Statement object and is precompiled sql, so it runs faster than Statemnet.

PerpaerdStatement used? As a placeholder, use setXxx(index, value) for? assignment

So let's replace the Statement and write the code:

public boolean login(String username, String password) { if (username == null || password == null) { return false; } Connection conn = null; PreparedStatement pstmt = null; ResultSet rs = null; try { //1. Get database connection conn = JDBCUtils.getConnection(); //JDBCUtils class //2, define sql String sql = "select * from user where username = ? and password = ? "; //3. Get the object that executes sql pstmt = conn.prepareStatement(sql); pstmt.setString(1,username); pstmt.setString(2,password); //4, execute sql rs = pstmt.executeQuery(); return rs.next(); } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.close(rs, pstmt, conn); } return false; }

Test it:

Successfully resolved!

The above is the details of how to solve SQL injection. Is there any harvest after reading it? If you want to know more, welcome to the industry news!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.