本例采用JSP+Servlet+Mysql:
1. 数据库:
数据库名:sqlinject
CREATE DATABASE sqlinject;
建user表:
Table: user
Create Table: CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(20) NOT NULL,
`sex` varchar(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8
表中一些记录:
mysql> select * from user;
+----+--------+------+
| id | name | sex |
+----+--------+------+
| 1 | benson | m |
| 2 | jerry | f |
| 3 | Mike | m |
| 4 | Jenny | f |
| 5 | Rose | f |
+----+--------+------+
5 rows in set (0.00 sec)
JSP页面和Servlet:
1.index.jsp:负责接受用户的输入(输入用户名和选择性别)
<%@ page contentType="text/html; charset=UTF-8" %>
<html>
<head>
<title>SQL注入测试</title>
</head>
<body>
<form action="query.do">
姓名:<input type="text" name="name"><br/>
性别:<select name="sex">
<option value="m">男</option>
<option value="f">女</option>
</select>
<br/>
<input type="submit" value="搜索"/>
</form>
</body>
</html>
QueryServlet处理类:
package zjut.tsw.servlet;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import zjut.tsw.vo.User;
public class QueryServlet extends HttpServlet {
/**
*
*/
private static final long serialVersionUID = 1L;
ArrayList<User> users = null;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
request.setCharacterEncoding("utf-8");
response.setContentType("text/html;charset=utf-8");
// 获取姓名和性别
String name = request.getParameter("name");
String sex = request.getParameter("sex");
// debug
System.out.println("name is:" + name + "\nsex is:" + sex);
users = query(name, sex);
request.setAttribute("users", users);
request.getRequestDispatcher("/query.jsp").forward(request, response);
return;
}
public ArrayList<User> query(String name, String sex) {
Connection conn = getConnection();
if(conn == null) System.out.println("conn is null");
Statement stmt = null;
ResultSet rs = null;
String sql = "select * from user where" + " sex='" + sex + "' and name='" + name + "'";
// debug
System.out.println(sql);
ArrayList<User> users = new ArrayList<User>(); // 保存用户
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
while (rs.next()) {
User user = new User();
user.setName(rs.getString("name"));
user.setSex(rs.getString("sex"));
users.add(user);
}
return users;
} catch (SQLException e) {
e.printStackTrace();
return null;
}
}
// connect to db
public static Connection getConnection() {
Connection conn = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/sqlinject", "root", "root");
return conn;
} catch (ClassNotFoundException cnfe) {
cnfe.printStackTrace();
return null;
} catch (SQLException e) {
e.printStackTrace();
return null;
}
}
}
VO:User
package zjut.tsw.vo;
public class User {
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getSex() {
return sex;
}
public void setSex(String sex) {
this.sex = sex;
}
private String name;
private String sex;
@Override
public String toString() {
return "username is:" + name + "sex is:" + sex;
}
}
结果页面 query.jsp
<%@ page contentType="text/html; charset=UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>查询结果</title>
</head>
<body>
<c:forEach items="${users}" var="user">
姓名:${user.name },性别${user.sex }<br/>
</c:forEach>
</body>
</html>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>QueryServlet</servlet-name>
<servlet-class>zjut.tsw.servlet.QueryServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>QueryServlet</servlet-name>
<url-pattern>/query.do</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
界面效果:
登录界面:
SQL注入:
结果:
这里在姓名输入框里输入了 ' or 'hack'='hack (hack名字是随意取的)
在地址栏中,%27代表单引号,+号代表一个空格,%3D代表=号,可以用JAVA的URLEncoder类和URLDecoder类进行转换
所有的记录都被查询出来了。
看下MyEclipse打印的SQL调试语句:
name is:' or 'hack'='hack
sex is:m
select * from user where sex='m' and name='' or 'hack'='hack'
Over...