如何在不同的请求中发送sql查询的参数?
[英]How to send parameters of an sql-query in a different request?
问题描述
PostgreSQL 9.4
As known, JDBC- PreparedStatement can prevent sql-injection attack by sending parameters in a query different from one that is used for sending the actual query's body. 
众所周知,JDBC- PreparedStatement可以通过在查询中发送与用于发送实际查询主体的查询不同的参数来防止sql注入攻击。
How can I send such two queries to a database directly or it doesn't supported by RDBMS ? 如何将这两个查询直接发送到数据库或RDBMS不支持? I mean, does preparedStatement do its internal magic and send the queries parameters in the different query, or RDBMS s support that natively? 我的意思是,preparedStatement是否发挥其内部魔力并在不同的查询中发送查询参数,还是RDBMS本身支持?
1 个解决方案
解决方案1
1 已采纳 2015-09-02 09:21:03
prepareStatement does not contain different values of parameters but only placeholders (marked with ?) prepareStatement不包含不同的参数值,而仅包含占位符(标记为?)
con.prepareStatement("select cu_id, cu_last_name from customer where cu_id between ? and ?")
The placeholders (bind variables) are set before the execution to required values 占位符(绑定变量)在执行前已设置为所需值
stmt.setInt(1,100)
stmt.setInt(2,105)
and the query is executed 并执行查询
stmt.executeQuery()
The important fact is, that the dababase can reuse the statement for more execution, so the statement is not parsed completely for each execution (but details depend on DBMS), which can provide better performance. 重要的事实是,dababase可以重用该语句以执行更多的操作,因此对于每次执行该语句都不会完全解析(但是细节取决于DBMS),这可以提供更好的性能。 The SQL injection is prevented due to the fact that only parameter value is provided - it is not possible to change the SQL query text. 由于仅提供参数值,因此阻止了SQL注入-无法更改SQL查询文本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.