SQL injection attacks:
When SQL stitching occurs in the program, the SQL semantics change when the input value is Jack ' # or ' Jack ' or ' 1=1 , because the SQL keyword (# or 1=1) appears in the SQL statement, Cause data leakage, system security hidden trouble.
Statements that have SQL semantics changed such as:
SELECT * from user where username= ' Jack ' # ' and password= ' select * from user where username= ' Jack ' or '1=1 ' and password= '
To resolve a SQL attack:
Using PreparedStatement objects;
// 3 to get a pre-compiled transmitter // sql? , called the SQL skeleton. // String sql = "SELECT * FROM User where username=? and password=? " ;p s = conn.preparestatement (SQL); // set parameter setstring // The first argument must match the order of the question mark, // The second parameter specifies the value of the question mark ps.setstring (1 2 // 4, execute sql rs = ps.executequery ();
PreparedStatement Advantages:
1, to prevent SQL injection first SQL skeleton (with the? A SQL,? called a placeholder) sent to the database server, and then the parameters are sent to the server. Essentially, the new object masks the SQL keyword, and the SQL keyword as a normal text processing. 2, omitted the argument stitching the trouble, through? As a placeholder, the position of the question mark is bound by the SetString method, and the assignment is done. 3, improve the execution efficiency first cache the SQL skeleton, the next time you want to access the same SQL skeleton business, first go to the cache to find SQL, the cache is not, then issue the SQL statement query database.
SQL injection attack and its solution