准备好的语句可以防止sql注入攻击吗?
考虑一个假设的情况,我必须根据 userId 从数据库中检索一些详细信息,下面给出了示例代码。
private String getpassword(String username) {
PreparedStatement statement = null;
ResultSet resultSet = null;
Connection conn = null;
final String selectQuery = "SELECT password FROM " + "users WHERE username=?";
try {
conn = dataSource.getConnection();
statement = conn.prepareStatement(selectQuery);
statement.setString(1, username);
resultSet = statement.executeQuery();
if (resultSet.next()) {
}
} catch (SQLException e) {
// log it
}
//return
}
该用户名实际上来自客户端,用户可以篡改数据(如果他愿意)。因此,preparedStatements 会阻止接受报价并仅将过滤后的 SQL 形式发送到数据库。
例如:我可以提供 username= ' 或 1=1,这将是一个有效的 SQL 语句。但如果驱动程序转义用户输入中的引号,那么它们将阻止 SQL 注入。
一般的理解是什么?
Consider a hypothetical case where I have to retrieve some details from the database based on the userId and the sample code is given below
private String getpassword(String username) {
PreparedStatement statement = null;
ResultSet resultSet = null;
Connection conn = null;
final String selectQuery = "SELECT password FROM " + "users WHERE username=?";
try {
conn = dataSource.getConnection();
statement = conn.prepareStatement(selectQuery);
statement.setString(1, username);
resultSet = statement.executeQuery();
if (resultSet.next()) {
}
} catch (SQLException e) {
// log it
}
//return
}
This username is actually coming from the client side and the user can tamper the data (if he wants to). So will preparedStatements prevent from accepting quotes and send only the filtered form of SQL to the database.
For eg: I can provide username= ' or 1=1 and it will be a valid SQL statement. But if the driver escapes the quotes from user inputs, then they would prevent sql injections.
What is the general understanding of the same ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
据此,是的: http://en.wikipedia.org/wiki/SQL_injection
如果语句已编译,则注入的代码将不会再次被解释(因此不会被执行)。
According to this, yes: http://en.wikipedia.org/wiki/SQL_injection
In that case the statement is already compiled and injected code would not be interpreted (and thus not be executed) again.
使用参数和准备好的语句确实可以防止 SQL 注入攻击,即传递“' 或 1=1”不会导致返回意外的数据。但是,如果在任何阶段将数据显示给用户,则需要确保生成的 HTML 不会受到从数据库返回的用户输入的影响。
例如,如果您的网页显示:
如果用户名这
可能会导致 XSS 或 CSRF 攻击。
NB
会更安全(JSP代码)。
一个很好的参考是:
Using parameters and a prepared statement does prevent SQL injection attacks, i.e. passing "' or 1=1" will not result in unintended data returned. However, if at any stage you display the data back to the user, you need to ensure that the HTML that is produced cannot be affected by the user input that comes back from the database
For example, if your web page displays:
if the username is
can lead to XSS or CSRF attacks.
N.B.
would be safer (JSP code).
A good reference is:
用户名和查询将作为两个单独的事物发送到数据库,数据库引擎将负责将两者重新组合在一起。在读取参数时,查询已经由引擎编译,因此两者永远不会被视为同一语句的一部分。
The username and the query will be sent to the database as two separate things, and the database-engine will be responsible for putting the two back together. The query is already compiled by the engine by the time the parameter is read, so the two are never considered part of the same statement.