SQL injection attacks
When you enter your account and password in the page, the password is set to ' or ' 1 ' = ' 1 o'clock, and when you enter the back-end server to query the information in the database, the query statement consists of:
SELECT * from Hhuser where nick= ' Zhangsan ' and passwords= ' or ' 1 ' = ' 1 ', the statement regardless of the user name and password can be found to meet the ' 1 ' = ' 1 ' condition, is the query user list is not empty. You can also use SQL attacks to cause irreversible disasters to your data. If you add ';d ROP table AAA after the password, the data table will be deleted.
SQL Injection Prevention
1. Use pre-compiled statements.
You can use the precompiled statement PreparedStatement to make a data query, execute the SQL statement through the statement object, send the SQL statement to the DBMS, and then execute it with the DBMS compiled. Precompiled instance:
String sql = "SELECT * from hhuser where Nick =?" and passwords =? ";
PreparedStatement st = conn.preparestatement (SQL);
St.setstring (1,nickname);
St.setstring (2,password);
ResultSet rs = St.executequery ();
2. Using ORM Framework
Use frameworks such as Ibatis, Hibernate, and so on, because these frames transfer keywords or special characters.
3, avoid password-free plaintext storage.
4, handle the exception of the response.
SQL injection attacks