I have a jsp code which has a query like
'select * from MyTable where
Column1='+request.getParameter('q'),
which is executed from a
java.sql.Statement. Now, provided we can append the query by using the
request parameter, my target is to change the query to something like:
Select * from MyTable where Column1 = a; Delete from MyTable;
since the original select query is executed through java.sql.Statement,
how can we do such sql injection ? If the question is not clear, kindly
comment, I'll try to provide further explanations.
if we inject q as a anything' OR 'x'='x
then it will select all the column which can be vulnerable. as because variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver
Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.
Check out this article , which explains how the Statement
and PreparedStatement
, as well as executeQuery()
and executeUpdate()
behave when it comes to SQL Injection.
Apart from the classic DROP
tables, there are more scenarios to watch out, like:
And it's not just SQL that can b affected. Even JPQL can be compromised if you are not using bind parameters.
Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.