SELECT * FROM db_user WHERE username=‘validuser’ OR ‘1’=‘1’ AND password=’’
同样,攻击者可以为password提供如下字符串。
’ OR ‘1’='1
当其注入到命令时,命令就会变成:
SELECT * FROM db_user WHERE username=’’ AND password=’’ OR ‘1’=‘1’
解决思路:
使用java.sql.PreparedStatement
代替java.sql.Statement
,做一个预编译,例如,select * from db_user where username=? and password=?
,然后向PreparedStatement对象中添加?
对应的属性
public void doPrivilegedAction(String username, char[] password) throws SQLException {
Connection connection = getConnection();
if (connection == null) {
// Handle error
}
try {
String pwd = hashPassword(password);
// Ensure that the length of user name is legitimate
if ((username.length() > 8) {
// Handle error
}
String sqlString = “select * from db_user where username=? and password=?”;
PreparedStatement stmt = connection.prepareStatement(sqlString);
stmt.setString(1, username);
stmt.setString(2, pwd);
ResultSet rs = stmt.executeQuery();
if (!rs.next()) {
throw new SecurityException(“User name or password incorrect”);
}
try {
connection.close();
} catch (SQLException x) {
// forward to handler
} finally {
// forward to handler
}
}
3、不安全的随机数
Java API中提供了java.util.Random
类实现PRNG()
,该PRNG是可移植和可重复的,如果两个java.util.Random
类的实例使用相同的种子,会在所有Java实现中生成相同的数值序列。
例如:下面代码片段中,使用了java.util.Random
类,该类对每一个指定的种子值生成同一个序列。
import java.