Then why do the above problems occur? This is caused by improper control of the program code layer. If the Web front-end control of the input data strictly, the database will be manipulated by the string, the client to do the sensitive character escapes, or in the operational database of the DAO layer, the use of dynamic parameters of SQL, not the use of splicing SQL, can prevent the occurrence of such problems.
In general, if the tester understands the specific design of the DAO layer, if the use is non-splicing, it is basically possible to intercept most of these problematic SQL. If you use the stitching method, you can design the test cases and test them well.
So why non-splicing method can effectively prevent SQL injection test it?
Modify the upper part of the core code block, using dynamic SQL (Precompiled SQL Method):
String hql= "Delete from Department where name=?";
Query query = session.createquery (HQL);
Query.setstring (0, name);
There is a problem with the same code entered:
But the result was not deleted. Why is it?
Because the escape of sensitive characters in a string is implemented in the SetString method. The JDK provides the Preparedstatemen interface, in the MySQL jar package, PreparedStatement implements the PreparedStatement in the JDK, the SetString method is as follows:
- Public void setString (int parameterindex, String x) throws SQLException {
- If the passed string is null and then set this column to null
- if (x = = null) {
- SetNull (Parameterindex, Types.char);
- } Else {
- StringBuffer buf = new stringbuffer ((int) (x.length () * 1.1));
- Buf.append (' \ ');
- int stringlength = X.length ();
- //
- Note:buf.append (char) is _faster_ than
- Appending in blocks, because the block
- Append requires a system.arraycopy () ....
- Go figure ...
- //
- for (int i = 0; i < stringlength; ++i) {
- char c = X.charat (i);
- Switch (c) {
- Case 0:/* must is escaped for ' MySQL ' */
- Buf.append (' \ \ ');
- Buf.append (' 0 ');
- break;
- Case ' \ n ':/* must is escaped for logs */
- Buf.append (' \ \ ');
- Buf.append (' n ');
- break;
- Case ' \ R ':
- Buf.append (' \ \ ');
- Buf.append (' R ');
- break;
- Case ‘\\‘:
- Buf.append (' \ \ ');
- Buf.append (' \ \ ');
- break;
- Case ‘\‘‘:
- Buf.append (' \ \ ');
- Buf.append (' \ ');
- break;
- Case ' ':/* Better safe than sorry */
- if (this. Usingansimode) {
- Buf.append (' \ \ ');
- }
- Buf.append (' "');
- break;
- Case ' \032 ':/* This gives problems on Win32 */
- Buf.append (' \ \ ');
- Buf.append (' Z ');
- break;
- default:
- Buf.append (c);
- }
- }
- Buf.append (' \ ');
- String parameterasstring = buf.tostring ();
- byte [] parameterasbytes = null;
- if (! this. isloaddataquery) {
- Parameterasbytes = Stringutils.getbytes (parameterasstring,
- this. Charconverter, this. charencoding, this. Connection
- . getservercharacterencoding (), this. Connection
- . Parserknowsunicode ());
- } Else {
- Send with Platform character encoding
- Parameterasbytes = Parameterasstring.getbytes ();
- }
- Setinternal (Parameterindex, parameterasbytes);
- }
- }
HQL There are many other methods for dynamic parameter binding: Binding by parameter name, binding by parameter location, Setparameter () method, and so on. Http://baike.baidu.com/link?url=NKt6I-Gk0HnyFRWyZ0_ZuDe0pz_aDqVul-VDJZCDCGl9K5LsBghBfxhPVJmZh9qmBKtXgY2EqAqK1oQUNK2Su_
Java Web SQL injection Test (3)---phenomenon analysis