我的sql jdbc方法是否可以防止sql注入攻击?
[英]Are my sql jdbc methods safe from sql injection attack?
问题描述
I was just googling for "how to add records into a database with ' in them" and then stumbled upon a possible vulnerability to my program, "sql injection". 
我只是在搜索“如何在其中添加记录到数据库中”,然后偶然发现了我的程序“ sql注入”可能存在的漏洞。 I don't know much about this; 我对此并不了解。 I saw it first on this page . 我首先在此页面上看到它。 People are saying something about parametrized query. 人们在说一些关于参数化查询的事情。
Here is my code in java: 这是我在Java中的代码:
public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
String additem = "INSERT INTO item VALUES(" + addComma(returnInQuotes(id)) + addComma(returnInQuotes(name)) + addComma(returnInQuotes(manufacturer)) +
addComma(returnInQuotes(desc)) + addComma(returnInQuotes(category)) + cost + ")";
Statement statement = con.createStatement();
return statement.executeUpdate(additem);
}
public int removeItemById(String id) throws SQLException{
String removeitembyid = "DELETE FROM item WHERE id = " + returnInQuotes(id);
Statement statement = con.createStatement();
return statement.executeUpdate(removeitembyid);
}
private String returnInQuotes(String str){
return "'" + str + "'";
}
private String addComma(String str){
return str + ",";
}
addComma and returnInQuotes are methods I made because I was sick of typing them in in the methods that need them. addComma和returnInQuotes是我制作的方法,因为我讨厌在需要它们的方法中键入它们。
So far I've tried my queries without the quotes, derby jdbc doesn't seem to work without them. 到目前为止,我已经在没有引号的情况下尝试了查询,如果没有引号,derby jdbc似乎无法工作。
2 个解决方案
解决方案1
3 2014-04-19 11:50:21
SQL Injection can be used when you directly use user input for your sql statements, a good way to overcome this vulnerability is to use PreparedStatement in Java: 直接将用户输入用于sql语句时,可以使用SQL注入,克服此漏洞的一个好方法是在Java中使用PreparedStatement :
public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
String additem = "INSERT INTO item VALUES (?, ?, ?, ?, ?, ?)";
PreparedStatement statement = con.prepareStatement(additem);
statement.setString(1, id);
statement.setString(2, name);
statement.setString(3, manufacturer);
statement.setString(4, desc);
statement.setString(5, category);
statement.setDouble(6, cost);
return statement.executeUpdate();
}
public int removeItemById(String id) throws SQLException{
String removeitembyid = "DELETE FROM item WHERE id = ?";
PreparedStatement statement = con.prepareStatement(removeitembyid);
statement.setString(1, id);
return statement.executeUpdate();
}
You also don`t need to add quotes yourself, they are added automatically. 您也不需要自己添加报价,因为报价是自动添加的。
解决方案2
2 2014-04-19 11:42:18
No, your code is not safe. 不,您的代码不安全。 You need to change this method to escape embedded apostrophes: 您需要更改此方法以转义嵌入的撇号:
private String returnInQuotes(String str){
return "'" + str.replace("'", "''") + "'";
}
Otherwise, an id such as this: 否则,这样的id:
1'; delete from item where 'a' = 'a
Would have disastrous effects if your driver allows multiple statements to be executed in one call. 如果您的驱动程序允许在一个调用中执行多个语句,将会造成灾难性的影响。
However, the best way to protect against injection is to use prepared statements and set parameter values; 但是,防止注入的最佳方法是使用准备好的语句并设置参数值。 the driver handles the quoting for you. 司机为您处理报价。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.