java编程安全问题总结

1、sql注入

      1)不能直接利用sql直接拼接，如表：

String sql = "select * from user where id=" + id;
Class.forName(mysqldriver);
Connection conn = DriverManager.getConnection(mysqlurl);
PreparedStatement pstt = conn.prepareStatement(sql);
ResultSet rs = pstt.executeQuery();

         修复：使用预编译

String sql = "select * from user where id= ?";
Class.forName(mysqldriver);
Connection conn = DriverManager.getConnection(mysqlurl);
PreparedStatement pstt = conn.prepareStatement(sql);
pstt.setObject(1, id); 
ResultSet rs = pstt.executeQuery();

       2）中间件Mybatis的sql注入，带有Like关键字

Select * from news where title like ‘%#{title}%’  //用#写程序会报错
Select * from news where title like ‘%${title}%’  //改为这种，也可能造成sql注入。

        修复：使用concat函数

select * from news where tile like concat(‘%’,#{title}, ‘%’)

        3）中间件Mybatis的sql注入，带有In关键字

Select * from news where id in (#{id})   //报错
Select * from news where id in (${id})   //不安全

          修复：使用foreach标签

select * from news where id in
#{item}