Java SQL注入问题
说明:导致信息泄露或者数据被篡改。
防止SQL注入的建议:
①使用参数化查询:最有效的防护手段,对于sql语句中的表名、字段名、部分场景下的in条件不适用;
②对不可信数据进行白名单校验:适用于拼接sql语句中的表名、字段名;
③对不可信数据进行转码:适用于拼接到sql语句中的由引号限制的字段。
Statement 用于执行不带参数的简单SQL语句,并返回它所生成结果的对象,每次执行SQL语句时,数据库都要编译SQL语句。容易产生SQL注入问题。
PreparedStatement 表示预编译的SQL语句的对象,用于执行带参数的预编译SQL语句。注入支队SQL语句的编译过程有破坏作用,而执行阶段只是把输入串作为数据处理,不再需要对SQL语句进行解析,因此可以避免了类似select * from user where name='aa' and password = 'bb' or 1 =1;的SQL注入问题的发生。
Statement 查询例子:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
class SqlInjection {
public static void main(String[] args) {
String driver = "com.mysql.jdbc.Driver";
// String url =
// "jdbc:mysql://localhost:3306/students?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC";
String url = "jdbc:mysql://localhost:3306/students";
String user = "root";
String password = "123456";
Connection con = null;
Statement statement = null;
ResultSet resultSet = null;
try {
Class.forName(driver);
con = DriverManager.getConnection(url, user, password);
if (!con.isClosed()) {
System.out.println("数据库连接成功");
}
statement = con.createStatement();
String name = "zhangsan";
// String name = "zhangsan' or 'a' = 'a";
int age = 20;
String sqlQuery = "select * from student where age=" + age + " and name='" + name + "'";
resultSet = statement.executeQuery(sqlQuery);
while (resultSet.next()) {
System.out.println("id: " + resultSet.getInt("id") + " name: " + resultSet.getString("name")
+ " age: " + resultSet.getInt("age"));
}
} catch (ClassNotFoundException e) {
System.out.println("数据库驱动没有安装");
} catch (SQLException sqlException) {
System.out.println("数据库连接失败");
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
if (statement != null) {
statement.close();
}
if (con != null) {
con.close();
}
} catch (SQLException e) {
System.out.println(e.getMessage());
}
}
}
}
PreparedStatement 例子:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
class SqlInjectionPreparedStatement {
public static void main(String[] args) {
String driver = "com.mysql.jdbc.Driver";
String url =
"jdbc:mysql://localhost:3306/students?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC";
String user = "root";
String password = "123456";
Connection con = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
Class.forName(driver);
con = DriverManager.getConnection(url, user, password);
if (!con.isClosed()) {
System.out.println("数据库连接成功");
}
String sqlQuery = "select * from student where age=? and name=?";
preparedStatement = con.prepareStatement(sqlQuery);
String name = "zhangsan' or 'a' = 'a";
int age = 20;
preparedStatement.setInt(1, age);
preparedStatement.setString(2, name);
resultSet = preparedStatement.executeQuery();
while (resultSet.next()) {
System.out.println("id: " + resultSet.getInt("id") + " name: " + resultSet.getString("name")
+ " age: " + resultSet.getInt("age"));
}
} catch (ClassNotFoundException e) {
System.out.println("数据库驱动没有安装");
} catch (SQLException sqlException) {
System.out.println("数据库连接失败");
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
if (preparedStatement != null) {
preparedStatement.close();
}
if (con != null) {
con.close();
}
} catch (SQLException e) {
System.out.println(e.getMessage());
}
}
}
}