mysql> select * from t_u
-> ;
+----+----------+------+------+
| id | username | pwd | age |
+----+----------+------+------+
| 1 | zs | test | 22 |
+----+----------+------+------+
1 row in set (0.14 sec)
mysql> update t_u set pwd = 'ddd\' or \'1\'=\'1' where id =1;
Query OK, 1 row affected (0.39 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> select * from t_u;
+----+----------+----------------+------+
| id | username | pwd | age |
+----+----------+----------------+------+
| 1 | zs | ddd' or '1'='1 | 22 |
+----+----------+----------------+------+
1 row in set (0.06 sec)
java:
package web;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import util.DBUtil;
public class LoginServletSafe extends HttpServlet{
public void service(HttpServletRequest req,
HttpServletResponse res)
throws ServletException,IOException{
System.out.println("========================");
Connection conn =null;
try{
conn = DBUtil.getConnection();
String username = req.getParameter("username");
String pwd =req.getParameter("pwd");
String sql="select * from t_u where username = ? and pwd = ?";
System.out.println(sql);
PreparedStatement prep= conn.prepareStatement(sql);
prep.setString(1, username);
prep.setString(2, pwd);
//System.out.println("pwd的值:"+pwd);
//若将pwd的值定义为:ddd' or '1'='1
//通过preparedStatement预编译后,执行的SQL语句将是:
//select * from t_u where name = 'zs'
// and pwd ='ddd\' or \'1\'=\'1'
/**实现机制不同,注入只对sql语句的准备(编译?)过程有破坏作用
而ps已经准备好了,执行阶段只是把输入串作为数据处理,不再
需要对sql语句进行解析,准备,因此也就避免了sql注入问题.
*PreparedStatement可以在传入sql后,执行语句前,给参数赋值,
*避免了因普通的拼接sql字符串语句所带来的安全问题,而且准备sql
*和执行sql是在两个语句里面完成的,也提高了语句执行的效率
*/
ResultSet rst= prep.executeQuery();
System.out.println("rst: "+rst);
//System.out.println("rst: "+rst.getStatement());
//判断结果集rs是否有记录,并且将指针后移一位
//因为前面的select语句是限定的条件,只有满足了条件才能有记录产生
if(rst.next()){
System.out.println("success");
}else{
System.out.println("fail");
}
}catch(Exception e){
e.printStackTrace();
throw new ServletException(e);
}
}
}
然后在JSP页面中,name的取值为zs,pwd的取值为:ddd' or '1'='1
提交后,控制台打印出:success,就表示,pwd的值是当成参数值来传递了,相当于执行了以下的SQL语句。
mysql> select * from t_u where username='zs' and pwd = 'ddd\' or \'1\'=\'1';
+----+----------+----------------+------+
| id | username | pwd | age |
+----+----------+----------------+------+
| 1 | zs | ddd' or '1'='1 | 22 |
+----+----------+----------------+------+
1 row in set (0.00 sec)
验证完毕,一直纠结网络上也没有这么的详细的解释,自己弄明白后,豁然开朗。^_^