This article only pointer coding layer of SQL Injection Vulnerability resolution method, the example code is Java-based.
1, Parameterized precompiled query statements
Unsafe examples
String query = "Select Account_balance from user_data WHERE user_name =" + request.getparameter ("CustomerName"); Try { = connection.createstatement (...); = statement.executequery (query);}
To prevent unsafe values from being passed through parameters, you must use parameterized precompiled query statements
// perform input validation to detect attacks String query = "Select Account_balance FRO M user_data WHERE user_name =? "; =1, custname); = Pstmt.executequery ();
2. White list of input parameters
It is not recommended to pass key portions of SQL statements as parameters, such as table names, field names, or sort characters (ASC, DESC), and so on. The proposed design is judged by the logo, as in the following example
String tableName; switch (PARAM): case "Value1": TableName = "footable" ; break ; case "Value2": TableName = "bartable" ; break ; ... default : throw new inputvalidationexception (" Unexpected value provided for table name ");
Public String SomeMethod (boolean sortOrder) { = "Some SQL ... order by Salary" + (SortOrder? ") ASC ":" DESC "); ...
Resolving SQL Injection Vulnerability methods