stackoom
  简体   繁体   中英

Are my sql jdbc methods safe from sql injection attack?

 原文  2014-04-19 11:38:16       java/ sql/ jdbc/ sql-injection/ derby

Question

I was just googling for "how to add records into a database with ' in them" and then stumbled upon a possible vulnerability to my program, "sql injection". I don't know much about this; I saw it first on this page . People are saying something about parametrized query.

Here is my code in java: 

 public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
    String additem = "INSERT INTO item VALUES(" + addComma(returnInQuotes(id)) + addComma(returnInQuotes(name)) + addComma(returnInQuotes(manufacturer)) +
    addComma(returnInQuotes(desc)) + addComma(returnInQuotes(category)) + cost + ")";
    Statement statement = con.createStatement();
    return statement.executeUpdate(additem);
}

public int removeItemById(String id) throws SQLException{
    String removeitembyid = "DELETE FROM item WHERE id = " + returnInQuotes(id);
    Statement statement = con.createStatement();
    return statement.executeUpdate(removeitembyid);
}

private String returnInQuotes(String str){
    return  "'" + str + "'";
}

private String addComma(String str){
    return str + ",";
}

addComma and returnInQuotes are methods I made because I was sick of typing them in in the methods that need them.

So far I've tried my queries without the quotes, derby jdbc doesn't seem to work without them.

2 answers

solution1
 3  2014-04-19 11:50:21

SQL Injection can be used when you directly use user input for your sql statements, a good way to overcome this vulnerability is to use PreparedStatement in Java: 

public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
    String additem = "INSERT INTO item VALUES (?, ?, ?, ?, ?, ?)";
    PreparedStatement statement = con.prepareStatement(additem);
    statement.setString(1, id);
    statement.setString(2, name);
    statement.setString(3, manufacturer);
    statement.setString(4, desc);
    statement.setString(5, category);
    statement.setDouble(6, cost);
    return statement.executeUpdate();
}

public int removeItemById(String id) throws SQLException{
    String removeitembyid = "DELETE FROM item WHERE id = ?";
    PreparedStatement statement = con.prepareStatement(removeitembyid);
    statement.setString(1, id);
    return statement.executeUpdate();
}

You also don`t need to add quotes yourself, they are added automatically.

solution2
 2  2014-04-19 11:42:18

No, your code is not safe. You need to change this method to escape embedded apostrophes: 

private String returnInQuotes(String str){
    return "'" + str.replace("'", "''") + "'";
}

Otherwise, an id such as this: 

1'; delete from item where 'a' = 'a

Would have disastrous effects if your driver allows multiple statements to be executed in one call.

However, the best way to protect against injection is to use prepared statements and set parameter values; the driver handles the quoting for you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL injection Attack in Java Native sql query- SQL Injection Attack Is the SimpleJdbcTemplate in Spring safe from SQL Injection? how to prevent sql injection attack in android? Is this piece of code SQL Injection safe? How can I avoid ZAP SQL Injection alerts if my application is already secured against that attack? SQL_INJECTION_JDBC Findbugs when loading from file Which one is more safe from SQL injection-NamedParameterJdbcTemplate or SimpleJdbcTemplate? Ways to prevent SQL Injection Attack & XSS in Java Web Application How can I modify the code to avoid SQL-injection attack?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM