1、sql注入
1)不能直接利用sql直接拼接,如表:
String sql = "select * from user where id=" + id;
Class.forName(mysqldriver);
Connection conn = DriverManager.getConnection(mysqlurl);
PreparedStatement pstt = conn.prepareStatement(sql);
ResultSet rs = pstt.executeQuery();
修复:使用预编译
String sql = "select * from user where id= ?";
Class.forName(mysqldriver);
Connection conn = DriverManager.getConnection(mysqlurl);
PreparedStatement pstt = conn.prepareStatement(sql);
pstt.setObject(1, id);
ResultSet rs = pstt.executeQuery();
2)中间件Mybatis的sql注入,带有Like关键字
Select * from news where title like ‘%#{title}%’ //用#写程序会报错
Select * from news where title like ‘%${title}%’ //改为这种,也可能造成sql注入。
修复:使用concat函数
select * from news where tile like concat(‘%’,#{title}, ‘%’)
3)中间件Mybatis的sql注入,带有In关键字
Select * from news where id in (#{id}) //报错
Select * from news where id in (${id}) //不安全
修复:使用foreach标签
select * from news where id in
<foreach collection="ids" item="item" open="("separator="," close=")">#{item} </foreach>