What is SQL injection? Take you from scratch to understand SQL injection

Understand SQL injection from scratch, and what is SQL injection? SQL injection is the only I can operate the database, originally just let you enter the content to go, but you enter the command, so I do not know the operation of the database

SQL injection

1. What is SQL injection

• Take a look at the following case scenario, which is the normal scenario for landing:

• And when we use the username ':-' The password can be entered at any time, and the login is successful ↓

• At this time compared to two SQL can be found, in fact, the user by the user name written SQL symbol to end the internal SQL early, and the second half sentence retrieval criteria to achieve the password-free landing effect.

SQL injection is the only I can operate the database, originally just let you enter the content to go, but you enter the command, so I do not know the operation of the database

2. Bug fixes

• The result is that the SQL above is used for dynamic stitching, so the way SQL is passed in can change the semantics of SQL.

Dynamic stitching is a mix of Java variables and SQL statements in Java: SELECT * from user where username= ' "+username+" ' and password = ' "+password" '

• So to use PreparedStatement's parameterized SQL, by first defining the semantics and then passing in the parameters, the SQL semantics will not be changed because of the parameters passed in. (passing parameters via Setint,setstring,setboolean)

3. Parameterized SQL Use Cases

            Establish data connection            conn=ds.getconnection ();            1. Set Preparestatement SQL statement with placeholder            preparedstatement ptmt = conn.preparestatement ("SELECT * from user where userName = ? and password =? ");            Ptmt.setstring (1, "Zhang San");      2. Set the parameter            ptmt.setstring (2, "123456");            Rs=ptmt.executequery ();                 while (Rs.next ()) {                System.out.println ("landed successfully");                return;            }            SYSTEM.OUT.PRINTLN ("Login Failed");

Parametric features:

1. Set PreparedStatement with placeholders for SQL statements

Statement how to execute SQL statements:

Stmt=conn.createstatement (); Rs=stmt.executequery ("Select UserName from user");

2. Setting parameters

Perparedstatement inherits from statement, which is used primarily to enable him to parameterize the characteristics of SQL.

Ext.: https://blog.csdn.net/qq_30258957/article/details/78145885

Add: 1. are used to execute SQL PreparedStatement extends Statement;

2.Statement suitable for performing static (unconditional) SQL PreparedStatement suitable for performing dynamic (conditional) SQL;

3.PreparedStatement can avoid injection attacks;

Related articles:

A self-considered safe PHP anti-SQL injection to solve

Gain insight into SQL injection and preventative actions

Related videos:

Defense SQL injection-php Live Mall development Video teaching