Java SQL注入问题

说明:导致信息泄露或者数据被篡改。

防止SQL注入的建议

使用参数化查询:最有效的防护手段,对于sql语句中的表名、字段名、部分场景下的in条件不适用;

对不可信数据进行白名单校验:适用于拼接sql语句中的表名、字段名;

对不可信数据进行转码:适用于拼接到sql语句中的由引号限制的字段。

 

Statement 用于执行不带参数的简单SQL语句,并返回它所生成结果的对象,每次执行SQL语句时,数据库都要编译SQL语句。容易产生SQL注入问题。

PreparedStatement 表示预编译的SQL语句的对象,用于执行带参数的预编译SQL语句。注入支队SQL语句的编译过程有破坏作用,而执行阶段只是把输入串作为数据处理,不再需要对SQL语句进行解析,因此可以避免了类似select * from user where name='aa' and password = 'bb' or 1 =1;的SQL注入问题的发生。

Statement 查询例子:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;


class SqlInjection {
    public static void main(String[] args) {
        String driver = "com.mysql.jdbc.Driver";
        // String url =
        // "jdbc:mysql://localhost:3306/students?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC";
        String url = "jdbc:mysql://localhost:3306/students";
        String user = "root";
        String password = "123456";
        Connection con = null;
        Statement statement = null;
        ResultSet resultSet = null;

        try {
            Class.forName(driver);
            con = DriverManager.getConnection(url, user, password);
            if (!con.isClosed()) {
                System.out.println("数据库连接成功");
            }
            statement = con.createStatement();
            String name = "zhangsan";
            // String name = "zhangsan' or 'a' = 'a";
            int age = 20;
            String sqlQuery = "select * from student where age=" + age + " and name='" + name + "'";
            resultSet = statement.executeQuery(sqlQuery);
            while (resultSet.next()) {
                System.out.println("id: " + resultSet.getInt("id") + "  name: " + resultSet.getString("name")
                    + "  age: " + resultSet.getInt("age"));
            }

        } catch (ClassNotFoundException e) {
            System.out.println("数据库驱动没有安装");
        } catch (SQLException sqlException) {
            System.out.println("数据库连接失败");
        } finally {
            try {
                if (resultSet != null) {
                    resultSet.close();
                }
                if (statement != null) {
                    statement.close();
                }
                if (con != null) {
                    con.close();
                }
            } catch (SQLException e) {
                System.out.println(e.getMessage());
            }
        }
    }
}

 

PreparedStatement 例子:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

class SqlInjectionPreparedStatement {
    public static void main(String[] args) {
        String driver = "com.mysql.jdbc.Driver";
        String url =
            "jdbc:mysql://localhost:3306/students?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC";
        String user = "root";
        String password = "123456";
        Connection con = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;

        try {
            Class.forName(driver);
            con = DriverManager.getConnection(url, user, password);
            if (!con.isClosed()) {
                System.out.println("数据库连接成功");
            }
            String sqlQuery = "select * from student where age=? and name=?";
            preparedStatement = con.prepareStatement(sqlQuery);

            String name = "zhangsan' or 'a' = 'a";
            int age = 20;

            preparedStatement.setInt(1, age);
            preparedStatement.setString(2, name);
            resultSet = preparedStatement.executeQuery();
            while (resultSet.next()) {
                System.out.println("id: " + resultSet.getInt("id") + "  name: " + resultSet.getString("name")
                    + "  age: " + resultSet.getInt("age"));
            }

        } catch (ClassNotFoundException e) {
            System.out.println("数据库驱动没有安装");
        } catch (SQLException sqlException) {
            System.out.println("数据库连接失败");
        } finally {
            try {
                if (resultSet != null) {
                    resultSet.close();
                }
                if (preparedStatement != null) {
                    preparedStatement.close();
                }
                if (con != null) {
                    con.close();
                }
            } catch (SQLException e) {
                System.out.println(e.getMessage());
            }
        }
    }
}

 

 

 

 

 

 

 

 

 

  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
package com.tarena.dingdang.filter; 02 03 import java.io.IOException; 04 import java.util.Enumeration; 05 06 import javax.servlet.Filter; 07 import javax.servlet.FilterChain; 08 import javax.servlet.FilterConfig; 09 import javax.servlet.ServletException; 10 import javax.servlet.ServletRequest; 11 import javax.servlet.ServletResponse; 12 import javax.servlet.http.HttpServletRequest; 13 14 public class AntiSqlInjectionfilter implements Filter { 15 16 public void destroy() { 17 // TODO Auto-generated method stub 18 } 19 20 public void init(FilterConfig arg0) throws ServletException { 21 // TODO Auto-generated method stub 22 } 23 24 public void doFilter(ServletRequest args0, ServletResponse args1, 25 FilterChain chain) throws IOException, ServletException { 26 HttpServletRequest req=(HttpServletRequest)args0; 27 HttpServletRequest res=(HttpServletRequest)args1; 28 //获得所有请求参数名 29 Enumeration params = req.getParameterNames(); 30 String sql = ""; 31 while (params.hasMoreElements()) { 32 //得到参数名 33 String name = params.nextElement().toString(); 34 //System.out.println("name===========================" + name + "--"); 35 //得到参数对应值 36 String[] value = req.getParameterValues(name); 37 for (int i = 0; i < value.length; i++) { 38 sql = sql + value[i]; 39 } 40 } 41 //System.out.println("============================SQL"+sql); 42 //有sql关键字,跳转到error.html 43 if (sqlValidate(sql)) { 44 throw new IOException("您发送请求中的参数中含有非法字符"); 45 //String ip = req.getRemoteAddr(); 46 } else { 47 chain.doFilter(args0,args1); 48 } 49 } 50 51 //效验

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值