String name = "1' or '1' = '1";
String age = "1' or '1' = '1";
String sql = "select * from user where name = '" + name +"' and age = '"+ age +"'";
最终结果:select * from user where name = '1' or '1' = '1' and age = '1' or '1' = '1'
PreparedStatement:占位符/动态参数化
String sql = "select * from user where name = ? and age = ?";
String name = "1' or '1' = '1";
String age = "1' or '1' = '1";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, name);
preparedStatement.setString(2, age);
最终结果:select * from user where name = '1\' or \'1\' = \'1' and age = '1\' or \'1\' = \'1'
出现的原因:硬编码SQL语句,可以通过“恒为真”的语句来绕过原始Sql语句的过滤条件,如:SELECT * FROM users WHERE name = '" + userName + "' and pw = '"+ passWord +"'
可以在传参数值时,传passWord = "1' OR '1'='1"或者userName = "1' OR '1'='1" 绕过过滤条件,最终sql语句会变成 SELECT * FROM users WHERE name = '1' OR '1'='1’ and pw = '1' OR '1'='1' 这条SQL语句“恒为真”,可以导出数据拖库。