请帮我解决这个问题...... [英] please help me about this problem......

问题描述

我使用下面的代码在使用SQL SERVER Management Studio将数据插入数据库表时连接程序运行正常但数据没有插入数据库表中没有错误

 字符串 query =  插入Answers（ID，Ques_ID，Ans）选择q.ID，q.Ques_ID，' + txtboxAddAnswer.getText（）+  '来自问题q其中q.Question =' + passingQuestion +  ';; 
 Class.forName（  com.microsoft.Sqlserver.jdbc.Sqlserverdriver）; 
连接conn = DriverManager.getConnection（  jdbc：sqlserver：// localhost：1433; databaseName = TestJava ，  testjava，  ahmad）; 
语句st = conn.createStatement（）; 
 st.executeQuery（query）; 
 conn.close（）; 

解决方案

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java 。



如果按照自己的方式进行操作，则会使您的应用程序完全容易受到众所周知的漏洞攻击： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 。

-SA

i am using the below code for inserting data into database table in using SQL SERVER Management Studio there is no error in connection program is running properly but data not inserting in database table

String query="insert into Answers (ID,Ques_ID,Ans) select q.ID,q.Ques_ID,'"+txtboxAddAnswer.getText()+"' from Questions q where q.Question='"+passingQuestion+"';";
Class.forName("com.microsoft.Sqlserver.jdbc.Sqlserverdriver");
Connection conn=DriverManager.getConnection("jdbc:sqlserver://localhost:1433;databaseName=TestJava","testjava","ahmad");
        Statement st=conn.createStatement();
        st.executeQuery(query);
       conn.close();

解决方案

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

—SA

这篇关于请帮我解决这个问题......的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！