SQL注入攻击



1、通过JDBC方式操作时，要通过setString()的方式传人条件。

错误的做法：

PreparedStatement ps = conn.prepareStatement("select * from some_table where name=" + name);
ResultSet rs = ps.executeQuery();

PreparedStatement ps = conn.prepareStatement("select * from some_table where name=" + name);
ResultSet rs = ps.executeQuery();

正确的做法：

PreparedStatement ps = conn.prepareStatement("select * from some_table where name=?");
ps.setString(1, name);
ResultSet rs = ps.executeQuery();

PreparedStatement ps = conn.prepareStatement("select * from some_table where name=?");
ps.setString(1, name);
ResultSet rs = ps.executeQuery();

2、如果一定要用拼接的方式的话。

Nutz提供了org.nutz.dao.Sqls.escapeFieldValue方法来进行处理，过滤掉可能的注入威胁。

Statment st = conn.createStatement();
ResultSet rs = st.executeQuery("select * from some_table where name=" + Sqls.escapeFieldValue(name));

Statment st = conn.createStatement();
ResultSet rs = st.executeQuery("select * from some_table where name=" + Sqls.escapeFieldValue(name));

1、通过JDBC方式操作时，要通过setString()的方式传人条件。

错误的做法：




[sql] view plaincopy
01.PreparedStatement ps = conn.prepareStatement("select * from some_table where name=" + name);
02.ResultSet rs = ps.executeQuery();

正确的做法：




[sql] view plaincopy
01.PreparedStatement ps = conn.prepareStatement("select * from some_table where name=?");
02.ps.setString(1, name);
03.ResultSet rs = ps.executeQuery();

2、如果一定要用拼接的方式的话。

Nutz提供了org.nutz.dao.Sqls.escapeFieldValue方法来进行处理，过滤掉可能的注入威胁。




[sql] view plaincopy
01.Statment st = conn.createStatement();
02.ResultSet rs = st.executeQuery("select * from some_table where name=" + Sqls.escapeFieldValue(name));