JDBC驱动程序转义准备好的语句的参数吗? [英] JDBC driver escaping arguments for prepared statement?

问题描述

在防止Java中的SQL注入中的 OWASP页面上， /a>:

From the OWASP page on Preventing SQL Injection in Java:

作为参数传递给准备好的语句的变量将由JDBC驱动程序自动转义.

Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.

我了解准备好的语句如何将用户输入分隔为参数内容而不是SQL命令的一部分.但是我偶然发现了上面引用的句子，我想知道所有转义是什么.这如何防止注射攻击?

I understand how prepared statements seperate user input to be handled as parameter content and not as part of SQL command. But I stumbled across the quoted sentence above and I am wondering what’s all the escaping about. How does that help prevent the injection attack?

推荐答案

假设您的陈述是

"select * from foo where name = '" + name + "'";

现在，如果名称变量碰巧是O'Reilly，则您将得到以下无效的SQL查询:

Now if the name variable happens to be O'Reilly, you end up with the following SQL query, which is invalid:

select * from foo where name = 'O'Reilly'

改为使用准备好的语句:

Use a prepared statement instead:

"select * from foo where name = ?"

然后，驱动程序将正确地将参数绑定为字符串，并且O'Reilly中的单引号不会被解释为以'O开头的字符串的结尾.

The driver will then bind the parameter correctly as a string, and the single quote in O'Reilly won't be interpreted as the end of the string started at 'O.

在这种简单情况下，不使用准备好的语句将仅"导致应用程序中的异常.但是如果有人使用类似

In this simple case, not using a prepared statement will "only" lead to an exception in your app. But if someone uses a name like

' or 1 = 1 or name <> '

查询将变为

select * from foo where name = '' or 1 = 1 or name <> ''

，查询将因此加载表的每一行.这就是SQL注入的全部内容.

and the query will thus load every single row of the table. That's what SQL injection is all about.

这篇关于JDBC驱动程序转义准备好的语句的参数吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！