Black Horse Day10 pre-compilation to solve SQL injection attack &preparestatement

SQL injection attacks:
Because the SQL statements executed in DAO are stitched up, and some of them are passed in by the user from the client, it is possible to change the semantics of the SQL statement by using these keywords when the user passes in the data that contains the SQL keyword, thus performing some special operations. This attack is called a SQL injection attack.

1. Login The database implementation code:

Public User Finduserbyusernameandpassword (string Username, string password) {try {<span style= "color: #ff0000;" >string sql= "SELECT * from Users where username= '" +username+ "' and password= '" +password+ "'" </span>;con= Jdbcutils.getconnection (); Sta =con.createstatement (); rs=sta.executequery (SQL); if (Rs.next ()) {User user=new user (); User.setid (Rs.getint ("id")), User.setusername (rs.getstring ("username")), User.setnickname (rs.getstring ("nickname ")); User.setemail (" email "); return user;} Else{return null;}} catch (SQLException e) {e.printstacktrace (); throw new RuntimeException ();} Finally{jdbcutils.closeresource (RS, STA, con);}}

2. Login interface:My database has already added DD user name and password for DD password user, but I fill in the User name input box dd ' #的时候不输入密码也能登陆. What is the reason for this? We find the code that affects this in the database: String sql= "SELECT * from Users where username= '" +username+ "' and password= '" +password+ "'";If you add ' #: It's equivalent to dropping the back comment. So you just have to judge the user name correctly!

3. In order to resolve this attack we can use the Preparestatement

PreparedStatement uses a pre-compiled mechanism to transfer the backbone and parameters of the SQL statement to the database server separately, so that the database can distinguish which is the backbone of the SQL statement which is the parameters, so even if the parameters with the SQL keyword, The database server also simply uses him as a parameter value, and the keyword does not work, thereby preventing SQL injection from being a principle issue.

Preparestatement Case:

Package Cn.itheima.jdbc;import Java.sql.connection;import Java.sql.preparedstatement;import java.sql.ResultSet; Import Cn.itheima.utils.jdbcutils;public class JDBCDemo5 {public static void main (string[] args) {Connection con=null; PreparedStatement Ps=null; ResultSet rs=null;try {con=jdbcutils.getconnection ();p s=con.preparestatement ("select * from user where name=?"); Ps.setstring (1, "Anlu"); Rs=ps.executequery ();//1. Query the data to form a table//rs point to the previous line of the queried data table if (Rs.next ()) {String id = rs.getstring (" ID "); String name=rs.getstring ("name"); String birthday=rs.getstring ("Birthday"); System.out.println (id+ ":" +name+ ":" +birthday);}} catch (Exception e) {e.printstacktrace (); throw new RuntimeException ();} Finally{jdbcutils.closeresource (RS, ps, con);}}}

the arguments in the statement are all used? Then use the Ps.setxxx method to set the parameters

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Black Horse Day10 precompiled to solve SQL injection attack &preparestatement