什麼是SQL注入
SQL注入攻擊通過構建特殊的輸入作爲參數傳入Web應用程序,而這些輸入大都是SQL語法裏的一些組合,通過執行SQL語句進而執行攻擊者所要的操作,它目前是黑客對數據庫進行攻擊的最常用手段之一。
SQL注入實例
繞過登錄(只需知道用戶名、無需知道密碼即可登錄成功)
實際userName=“zs”;password=“123”;
//模擬用戶輸入userName和password
String userName = "zs";
String password = "123";
String sql = "select * from user where username = '"+userName+" " +
"and password = '"+password+"' ";
黑客使用的方法
1. 使用–將password那部分的語句註釋掉
String userName = "zs' --";
String password = "fdfdfdfdf";
String sql = "select * from user where username = '"+userName+" " +
"and password = '"+password+"' ";
2. 使用or
String userName = "zs' or 1=1";
String password = "fdfdfdfdf";
String sql = "select * from user where username = '"+userName+" " +
"and password = '"+password+"' ";
對應實際的SQL語句:
select * from user where username='zs' or 1=1 and password='dfdfdfdfdf';
用or將語句分爲兩部分: select * from user where username='zs'
和1=1 and password='dfdfdfdfdf';
預防SQL注入的方法
使用PrepareStatement類:預編譯SQL,開發時常用這個類。
String sql = "select * from user" +
" where username = ? and password = ?";//?佔位符
// 預編譯SQL
PreparedStatement statement =
connection.prepareStatement(sql);
String userName = "zs or 1=1";
String password = "dfdfdfdfd";
statement.setString(1,userName);//傳值給第一個佔位符
statement.setString(2,password);
ResultSet resultSet = statement.executeQuery();
使用PrepareStatement的setXXX()方法傳值.