SQL 注入

关于Struts2 + spring + hibernate进Q群: 130529143交流。
有偿技术支持Q群：398162181 

String username = "a' OR password =  ";
String password = " OR '1'= '1";
String sql = "SELECT * FROM user WHERE name = '" + username
+ "' AND " + "password = '" + password + "'";


1.原查询语句：SELECT * FROM user WHERE name = ' ' AND password = ' ';
SELECT * FROM user WHERE name = " " AND password = " ";
2.将查询条件注入后为：




SELECT * FROM user WHERE name = 'a' OR password =  ' AND password = ' OR '1'= '1';




SELECT * FROM user WHERE name = 'a' OR password =  ' AND password = ' OR '1'= '1'；

3.使用PreparedStatement 避免SQL注入；

关于Struts2 + spring + hibernate进Q群: 130529143交流。
有偿技术支持Q群：398162181