stackoom
  简体   繁体   中英

prepared statement and SQL injection

 原文  2015-04-03 11:11:23       java/ jdbc/ prepared-statement/ sql-injection

Question

I have been reading about prepared statement and it said that SQL injection is still very possible with it. Now I would use spring if I was creating an web app but I thought that it allowing such attacks odd.

PreparedStatement forces you to pick the index. This will cause many problems because you will not always want to pick the same location over and over to store data. Even if you create a counter it will be counter productive because it will reset everything the program shuts down. 

String query = "INSERT INTO offers (name,email.text) VALUES 
'"+name+"','"+email+ "','"+text+"'";

Lets say the above code is my query. What is a safe alternative and will allow auto increment in the mySQL database.

2 answers

solution1
 3  2015-04-03 11:28:35

SQL injection attacks are possible with PreparedStatement if you write your SQL like you did where you concatenate your variables to your SQL statement.

Your query should be 

String query = "INSERT INTO offers (name,email,text) VALUES (?,?,?)

By concatenating the values like you did you are indeed allowing the possibility of sql injection because the values of those variables could be actual SQL which would cause your insert to do something that is not intended. You can use ?s like I did and then set them programmatically. The values will be properly escaped keeping SQL injection attacks from happening.

Read this to find out how to set the ? values in the SQL like I have written it.

Using Prepared Statements

solution2
 1 ACCPTED  2015-04-03 11:27:52

A prepared statement query will be something like this: 

String sql = "insert into offers (name, email, text) values(?, ?, ?);

You the create a PreparedStatement with this. Then set the 1-based indexed values and execute the query. 100% safe to SQL-injections!

With Spring, you will probably use a JdbcTemplate. Note there is a NamedParameterJdbcTemplate implementation which does not use indexes, but named parameters. Query will be: 

String sql = "insert into offers (name, email, text) values(:name, :email, :text);

Then set the name-based values and execute the query. Again 100% safe to SQL-injections!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Prepared Statement effect against SQL Injection Is SQL injection possible even on a prepared statement Blind Sql injection despite using prepared statement SQL injection for Dynamic where conditions in prepared statement Does prepared statement prevent SQL-Injection here Does concatenated string that is later used in prepared statement cause sql injection? How to build query in Java to prevent SQL injection using prepared statement Using prepared statement for Order by to prevent SQL injection java prepared statement / sql-injection preventation on variable from In prepared statement is setString() the only useful method to prevent SQL injection?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM