What is SQL injection? Take you from scratch to understand SQL injection

Source: Internet
Author: User
Tags sql injection stmt
Understand SQL injection from scratch, and what is SQL injection? SQL injection is the only I can operate the database, originally just let you enter the content to go, but you enter the command, so I do not know the operation of the database

SQL injection

1. What is SQL injection

    • Take a look at the following case scenario, which is the normal scenario for landing:

    • And when we use the username ':-' The password can be entered at any time, and the login is successful ↓

    • At this time compared to two SQL can be found, in fact, the user by the user name written SQL symbol to end the internal SQL early, and the second half sentence retrieval criteria to achieve the password-free landing effect.

SQL injection is the only I can operate the database, originally just let you enter the content to go, but you enter the command, so I do not know the operation of the database

2. Bug fixes

    • The result is that the SQL above is used for dynamic stitching, so the way SQL is passed in can change the semantics of SQL.

Dynamic stitching is a mix of Java variables and SQL statements in Java: SELECT * from user where username= ' "+username+" ' and password = ' "+password" '

    • So to use PreparedStatement's parameterized SQL, by first defining the semantics and then passing in the parameters, the SQL semantics will not be changed because of the parameters passed in. (passing parameters via Setint,setstring,setboolean)

3. Parameterized SQL Use Cases

            Establish data connection            conn=ds.getconnection ();            1. Set Preparestatement SQL statement with placeholder            preparedstatement ptmt = conn.preparestatement ("SELECT * from user where userName = ? and password =? ");            Ptmt.setstring (1, "Zhang San");      2. Set the parameter            ptmt.setstring (2, "123456");            Rs=ptmt.executequery ();                 while (Rs.next ()) {                System.out.println ("landed successfully");                return;            }            SYSTEM.OUT.PRINTLN ("Login Failed");

Parametric features:

1. Set PreparedStatement with placeholders for SQL statements

Statement how to execute SQL statements:

Stmt=conn.createstatement (); Rs=stmt.executequery ("Select UserName from user");

2. Setting parameters

Perparedstatement inherits from statement, which is used primarily to enable him to parameterize the characteristics of SQL.

Ext.: https://blog.csdn.net/qq_30258957/article/details/78145885

Add: 1. are used to execute SQL PreparedStatement extends Statement;

2.Statement suitable for performing static (unconditional) SQL PreparedStatement suitable for performing dynamic (conditional) SQL;

3.PreparedStatement can avoid injection attacks;

Related articles:

A self-considered safe PHP anti-SQL injection to solve

Gain insight into SQL injection and preventative actions

Related videos:

Defense SQL injection-php Live Mall development Video teaching

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.