How to prevent SQL injection method from adding the MySQL database authentication password ' or ' 1 ' = ' 1 in Java to preparedstatement the universal password

Last Update:2017-09-21 Source: Internet

Author: User

Tags how to prevent sql injection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

 PackageCom.swift;Importjava.sql.Connection;ImportJava.sql.DriverManager;Importjava.sql.PreparedStatement;ImportJava.sql.ResultSet;Importjava.sql.SQLException; Public classloginjdbc$preparedstatement { Public Static voidMain (string[] args) {User Userzhangsan=NewUser ("Swift", "123456 ' or ' 1 ' = ' 1"); if(Login (Userzhangsan)) {System.out.println ("The account password is correct and the login is successful"); }Else{System.out.println ("Login Failed"); }     }    Private Static BooleanLogin (User userzhangsan) {Connection conn=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; Try {            //1, Load driveClass.forName ("Com.mysql.jdbc.Driver"); } Catch(ClassNotFoundException e) {e.printstacktrace (); }        Try {            //2, link database, using Com.mysql.jdbc.Connection package will be errorConn=drivermanager.getconnection ("Jdbc:mysql://localhost:3306/sw_database?user=root&password=root"); //3. Create a connection statementPs=conn.preparestatement ("select * from Sw_user where username= '" +userzhangsan.getusername () + "' and password= '" + Userzhangsan.getpassword () + "'"); //4. Execute SQL statement to get result setrs=Ps.executequery (); if(Rs.next ()) {return true; }        } Catch(SQLException e) {e.printstacktrace (); }finally {            //Close Result set            Try {                if(rs!=NULL) {rs.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }            //closing a connection statement            Try {                if(ps!=NULL) {ps.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }            //To close a database connection            Try {                if(conn!=NULL) {conn.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }        }        return false; }}

The SQL statements in the above code are concatenated by string, although PreparedStatement has been used, but still does not prevent injection, because the string connection can be added ' or ' 1 ' = ' 1
Ps=conn.preparestatement ("select * from Sw_user where username= '" +userzhangsan.getusername () + "' and password= '" + Userzhangsan.getpassword () + "'");
Change the above SQL statement to select * from Sw_user where username=? and password=?
There is no string connection, password plus other characters SQL cannot execute
So the code changes as follows:

 PackageCom.swift;Importjava.sql.Connection;ImportJava.sql.DriverManager;Importjava.sql.PreparedStatement;ImportJava.sql.ResultSet;Importjava.sql.SQLException; Public classLoginjdbc$preparedstatement2 { Public Static voidMain (string[] args) {User userswift=NewUser ("Zhangsan", "123456"); if(Login (userswift)) {System.out.println ("The account password is correct and the login is successful"); }Else{System.out.println ("Login Failed"); }     }    Private Static BooleanLogin (User userswift) {Connection conn=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; Try {            //1, Load driveClass.forName ("Com.mysql.jdbc.Driver"); } Catch(ClassNotFoundException e) {e.printstacktrace (); }        Try {            //2, link database, using Com.mysql.jdbc.Connection package will be errorConn=drivermanager.getconnection ("Jdbc:mysql://localhost:3306/sw_database?user=root&password=root"); //3. Create a connection statementPs=conn.preparestatement ("select * from Sw_user where username=?") and password=? "); Ps.setstring (1, Userswift.getusername ()); Ps.setstring (2, Userswift.getpassword ()); //4. Execute SQL statement to get result setrs=Ps.executequery (); if(Rs.next ()) {return true; }        } Catch(SQLException e) {e.printstacktrace (); }finally {            //Close Result set            Try {                if(rs!=NULL) {rs.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }            //closing a connection statement            Try {                if(ps!=NULL) {ps.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }            //To close a database connection            Try {                if(conn!=NULL) {conn.close (); }            } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); }        }        return false; }}

How to prevent SQL injection method from adding the MySQL database authentication password ' or ' 1 ' = ' 1 in Java to preparedstatement the universal password

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More