SQL injection Analysis and optimization scheme in Java program

First to see the explanation of Baidu Encyclopedia:

The so-called SQL injection is by inserting SQL commands into the Web Form submitting or entering a query string for a domain name or page request, eventually reaching the spoofed server to execute a malicious SQL command. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks .

SQL injection instance in 1.java program:

Take the user login as an example, the username admin is known.

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/8E/10/wKioL1i02fLiWWhoAAAsBa6CPvM681.jpg-wh_500x0-wm_ 3-wmp_4-s_2674122166.jpg "title=" login.jpg "alt=" Wkiol1i02fliwwhoaaasba6cpvm681.jpg-wh_50 "/>

When you log on, the SQL that executes in the background is as follows:

SELECT * from sys_user where UserID = ' and userpwd = ' '

In the case of an unknown user password, if you enter admin ' and 1=1 or ' a ' = ' A in the username, then the actual SQL executed is as follows:

SELECT * from sys_user where UserID = ' admin ' and 1=1 or ' a ' = ' a ' and userpwd = '

The background execution results are as follows, causing the user password to be compromised:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/8E/12/wKiom1i029rwCecoAABCwQqa9E8693.jpg-wh_500x0-wm_ 3-wmp_4-s_2052046126.jpg "title=" sql.jpg "alt=" Wkiom1i029rwcecoaabcwqqa9e8693.jpg-wh_50 "/>

Login Module DAO Layer code:

Public list<map<string, object>> login (string username, string password) {String sql = ' SELECT * FROM    Sys_user WHERE UserID = ' "+username+" ' and userpwd = ' "+password+" ' ";    return jdbctemplate.queryforlist (SQL); }

Avoid SQL injection in 2.java programs

For example, the above login module DAO layer code, the use of string stitching to splice SQL statements will cause SQL to be injected, so there is a SQL in DAO in SQL concatenation of the theory of SQL injection risk. This problem can be avoided effectively by adopting the method of object incoming. Refine the methods in the above DAO as follows:

Public list<map<string, object>> login (string username, string password) {String sql = ' SELECT * FROM Sys_user where UserID =?    and userpwd =? ";    list<object> obj = new arraylist<object> ();    Obj.add (username);    Obj.add (password);    return jdbctemplate.queryforlist (SQL, Obj.toarray ()); }

This article is from the "Love Life, Love Java" blog, please be sure to keep this source http://ycj7126168.blog.51cto.com/8298495/1901925

SQL injection Analysis and optimization scheme in Java program