The previous article introduced SQL injection and experimented with PHP content primarily:
Http://www.cnblogs.com/charlesblc/p/5987951.html
This article also introduces the processing scheme (PreparedStatement in PDO or mysqli)
Http://www.cnblogs.com/charlesblc/p/5988919.html
So what is the case for Java?
First, try to avoid SQL stitching, and the parameters are quoted. Use regular filtering, front-end filtering. Use string conversions to escape processing.
Finally, try to use a precompiled statement set PreparedStatement.
The analysis shows that PreparedStatement compared with statement basically solves the problem of SQL injection, and also has a certain increase in efficiency.
PreparedStatement the parameters are escaped, do not allow the direct delivery of quotation marks;
It is not allowed to change the logical structure of SQL in the process of parameter transfer, and it is not allowed to change the logical structure of query at different insertion time.
Using the PreparedStatement provided by the interface setxxx, in the wrong type will be directly error.
Basic SQL injection is filtered (basically, because there are no breakthroughs or new vulnerabilities found in the back-attack technology now).
In addition, the Web layer allows us to filter the input of the user to prevent SQL injection such as filtering global form parameters with filter.
The Java connection database basically uses MyBatis (previously also hibernate). Bare JDBC calls are rarely used. So we don't experiment.
SQL injection vs. java