本文分析了如何通过PreparedStatement避免SQL注入漏洞,比较了Statement和PreparedStatement在执行SQL时的安全性,并给出了实际代码示例。
@Test
public void method2() throws Exception {
String url = "jdbc:mysql:///db1";
String username = "root";
String password = "1234";
Connection conn = DriverManager.getConnection(url, username, password);
String name = "asfdf";
String pwd = "' or '1' = '1";
String sql = "select * from calss where username = '"+name+"' and password = '"+pwd+"'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
if (rs.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
rs.close();
stmt.close();
conn.close();
}
此代码中,条件 username = 'sjdljfld' and password = '' 不管是否满足,而 or 后面的 '1' = '1' 是始终满足的,最终条件是成立的,就可以正常的进行登陆了。
@Test
public void method2() throws Exception {
String url = "jdbc:mysql:///db1";
String username = "root";
String password = "1234";
Connection conn = DriverManager.getConnection(url, username, password);
String name = "asfdf";
String pwd = "' or '1' = '1";
String sql = "select * from calss where username = ? and password = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setObject(1,name);
pstmt.setObject(2,pwd);
ResultSet rs = pstmt.executeQuery();
if (rs.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
rs.close();
pstmt.close();
conn.close();
}
此代码使用PreparedStatement代替Statement执行上面的语句就不会出现SQL注入漏洞问题,他是对所输入的字符进行了转义,在一些特殊符号前面加了转义字符,是他们不能和SQL语句连接起来,以修改本来的语义。如下:
select * from tb_user where username = 'sjdljfld' and password = '\'or \'1\' = \'1'
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
