1. Definition:
SQL injection is to insert SQL commands into web forms to submit or input query strings for domain names or page requests, and finally fool the server to execute malicious SQL commands.
2. methods to prevent SQL injection:
A: Use preparedstatement instead of statement.
1) Using preparedstatement is more readable and maintainability than statement code.
2) preparedstatement to maximize performance.
3) The most important thing is that preparedstatement greatly improves system security.
sql="select * from admin where username=? and password=?"; PreparedStatement psmt= con.prepareStatement(sql); psmt.setString(1,username); psmt.setString(2,password); ResultSet rs = psmt.executeQuery(); if(rs.next){ rs.close(); con.close(); return false; } else{ rs.close(); con.close(); return true; }
B: Filter strings.
public static String filterContent(String content){ String flt ="'|and|exec|insert|select|delete|update|count|*|% |chr|mid|master|truncate|char|declare|;|or|-|+|,"; Stringfilter[] = flt.split("|"); for(int i=0;i<filter.length ; i++) { content.replace(filter[i], ""); } return content; }
Or use filter to filter global form parameters.