[英]SQL Injection Guide In Java (or any other language)
I have a jsp code which has a query like 我有一个jsp代码,其查询如下
'select * from MyTable where
Column1='+request.getParameter('q'),
which is executed from a 从一个执行
java.sql.Statement. java.sql.Statement。 Now, provided we can append the query by using the
现在,只要我们可以使用
request parameter, my target is to change the query to something like: 请求参数,我的目标是将查询更改为:
Select * from MyTable where Column1 = a; Delete from MyTable;
since the original select query is executed through java.sql.Statement, 由于原始的选择查询是通过java.sql.Statement执行的,
how can we do such sql injection ? 我们怎么做这样的SQL注入? If the question is not clear, kindly
如果问题不清楚,请
comment, I'll try to provide further explanations. 评论,我将尝试提供进一步的解释。
if we inject q as a anything' OR 'x'='x
then it will select all the column which can be vulnerable. 如果我们将q注入为
anything' OR 'x'='x
则它将选择所有容易受到攻击的列。 as because variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver 之所以这样,是因为JDBC驱动程序会自动将作为参数传递给准备好的语句的变量自动转义。
Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. 尽管Prepared Statements有助于防御SQL Injection,但是通过不当使用Prepared Statements可能会发生SQL Injection攻击。 The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.
下面的示例说明了这种情况,其中输入变量直接传递到Prepared语句中,从而为SQL Injection攻击铺平了道路。
Check out this article , which explains how the Statement
and PreparedStatement
, as well as executeQuery()
and executeUpdate()
behave when it comes to SQL Injection. 查阅本文 ,其中介绍了SQL注入时
Statement
和PreparedStatement
以及executeQuery()
和executeUpdate()
行为。
Apart from the classic DROP
tables, there are more scenarios to watch out, like: 除了经典的
DROP
表之外,还有更多需要注意的场景,例如:
And it's not just SQL that can b affected. 不仅SQL会受到影响。 Even JPQL can be compromised if you are not using bind parameters.
如果不使用绑定参数,则即使JPQL也会受到损害。
Bottom line, you should never use string concatenation when building SQL statements. 最重要的是,在构建SQL语句时,绝对不要使用字符串连接。 Use a dedicated API for that purpose:
为此使用专用的API:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.