stackoom
  简体   繁体   中英

SQL Injection Guide In Java (or any other language)

 原文  2012-08-17 06:49:10       java/ sql/ prepared-statement/ sql-injection

Question

I have a jsp code which has a query like 

'select * from MyTable where

Column1='+request.getParameter('q'),

which is executed from a

java.sql.Statement. Now, provided we can append the query by using the

request parameter, my target is to change the query to something like: 

Select * from MyTable where Column1 = a; Delete from MyTable;

since the original select query is executed through java.sql.Statement,

how can we do such sql injection ? If the question is not clear, kindly

comment, I'll try to provide further explanations.

3 answers

solution1
 2  2012-08-17 07:20:53

SQL Injection Guide: Link1 & Link2 ,but there are so many relevant threads in Stackoverflow regarding SQL Injection like Q & A .

Do one thing,search by -> sql injection java stackoverflow

solution2
 1  2012-08-17 06:59:20

if we inject q as a anything' OR 'x'='x then it will select all the column which can be vulnerable. as because variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver

Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.

solution3
 0  2016-11-08 15:05:46

Check out this article , which explains how the Statement and PreparedStatement , as well as executeQuery() and executeUpdate() behave when it comes to SQL Injection.

Apart from the classic DROP tables, there are more scenarios to watch out, like:

  • call a sleep function so that all your database connections will be busy, therefore making your application unavailable
  • extracting sensitive data from the DB
  • bypassing the user authentication

And it's not just SQL that can b affected. Even JPQL can be compromised if you are not using bind parameters.

Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question is this possible in java or any other programming language Is there any language other than Java that will work as ubiquitous on mobile? Java or any other language: Which method/class invoked mine? Is there a way to incorporate the OpenSCAD compiler in java or any other programming language? How do Annotations works internally in Java or any other programming language? JAVA - Possible SQL Injection Java SQL Injection - MySQLSyntaxErrorException Prevent Sql Injection (Java) SQL injection Attack in Java Avoiding SQL injection in java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM