Jdbc-sql Injection Attack

Ten SQL injection attacks

--Early login logic is to bring the user name and password entered in the form into the following SQL statement. If the query results, then the login is considered successful.

SELECT * from USER WHERE name= ' and password= ' xxx ';

--SQL injection: Please try the following user name and password.

/* User name:
Password: XXX
*/
--Bring the user name and password into the SQL statement as follows:

SELECT * from USER WHERE name= ' xxx ' OR 1=1--' and password= ' xxx ';

--found that the SQL statement lost its judgment effect, the conditional part becomes the identity.
--The problem with SQL injection is that the site can be logged in illegally.
//-------------------------------------------------------------------------------------------
What is the problem with thinking?
Bring the user name password into the SQL statement and discover that the SQL statement becomes the following form:
SELECT * from t_student WHERE name= ' abcd ' OR 1=1;--' and password= ' 1234 ';
The SQL statement is an identity condition. So the record must be queried. Cause anonymous landing. There's a security breach.

If so, how can we solve the problem?
1> WORKAROUND: When transporting SQL, we are using the statement object. If you change to a Preparestatement object, the problem does not occur.
2>sql statement do not spell directly again. And to do it in a precompiled way.
Complete as in the previous two steps. The problem can be resolved.
* Why do I use preparestatement objects to solve problems?
The execution of SQL requires compilation. The injection problem occurs because the user fills in the SQL statement and participates in the compilation. Using the Preparestatement object
When you execute a SQL statement, you are divided into two steps. The first step is to "ship" the SQL statement to MySQL compilation. Go back to the Java side and get the parameters shipped to the MySQL side.
The SQL statement that the user fills out will not participate in the compilation. It will only look like a parameter. Avoid SQL injection problems;
Preparestatement the same as the execution of the parent sentence, with different parameters for batch execution. Because it compiles only once. It saves a lot of compilation time. The efficiency will be high.

-----------------------------------------------
The difference between using the Preparestatement object and the statement object

1.Statement can be created first, and then write the SQL statement.
Preparestatement be sure to pass in the SQL statement when it is created, because it is shipped to the database before it is precompiled

Api:
PreparedStatement PST = conn.preparestatement (SQL);

2. Preparestatement to set the arguments in the statement before executing.

Api:
Pst.setstring (1, name); --the invocation of the set method depends on the type of the parameter.

Char/varchar setString
int Setint
Double setdouble
Datatime/timestamp setDate
3. Statement objects pass in SQL statements when they are actually executed
The SQL statement and corresponding parameters have been set preparestatement before execution. Execution method does not require parameters

Api:
ResultSet rs = Pst.executequery ();

Jdbc-sql Injection Attack