一、什么叫sql注入
1
|
strSQL =
"SELECT * FROM users WHERE (name = '"
+ userName +
"') and (pw = '"
+
passWord
+
"');"
|
1
|
userName =
"1' OR '1'='1"
;
|
1
|
passWord
=
"1' OR '1'='1"
;
|
1
|
strSQL =
"SELECT * FROM users WHERE (name = '1' OR '1'='1') and (pw = '1' OR '1'='1');"
|
1
|
strSQL =
"SELECT * FROM users;"
|
二、如何防止sql注入
1、 开发者可以采用带参方式访问SQL语句访问数据库,在Java中即采用PreparedStatement的方式访问数据库。
2、 如果开发者一定要使用SQL拼凑的方式访问数据,对字符串要检查并过滤单引号【’】,对于可能为整形或者浮点类型参数,要先转整形,或者浮点,再进行拼凑。
//安全的代码实例
//JDBC参数
publicint stopFwxmglbStateByServiceId(String serviceId) {
try {
String sql = "update sjzx_fwxmglb t set t.state = 0 where t.service_id = ? and t.delete_state = 0";
Object[] args = { Long.valueOf(serviceId) };
jdbcTemplate.queryForLong(sql, args);
return 1;
} catch (RuntimeException e) {
return 0;
}
}
//HQL参数
publicint startOrStopRelate(Long objectid,String state){
String sql = "update SjzxFwxmglb set state=:state where objectid=:id";
Query query = createQuery(sql).setParameter("state",state).setParameter("id",objectid);
return query.executeUpdate();
}