JDBC驱动程序转义准备好的语句的参数吗? [英] JDBC driver escaping arguments for prepared statement?
问题描述
在防止Java中的SQL注入中的 OWASP页面上, /a>:
From the OWASP page on Preventing SQL Injection in Java:
作为参数传递给准备好的语句的变量将由JDBC驱动程序自动转义.
Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.
我了解准备好的语句如何将用户输入分隔为参数内容而不是SQL命令的一部分.但是我偶然发现了上面引用的句子,我想知道所有转义是什么.这如何防止注射攻击?
I understand how prepared statements seperate user input to be handled as parameter content and not as part of SQL command. But I stumbled across the quoted sentence above and I am wondering what’s all the escaping about. How does that help prevent the injection attack?
推荐答案
假设您的陈述是
"select * from foo where name = '" + name + "'";
现在,如果名称变量碰巧是O'Reilly,则您将得到以下无效的SQL查询:
Now if the name variable happens to be O'Reilly, you end up with the following SQL query, which is invalid:
select * from foo where name = 'O'Reilly'
改为使用准备好的语句:
Use a prepared statement instead:
"select * from foo where name = ?"
然后,驱动程序将正确地将参数绑定为字符串,并且O'Reilly中的单引号不会被解释为以'O
开头的字符串的结尾.
The driver will then bind the parameter correctly as a string, and the single quote in O'Reilly won't be interpreted as the end of the string started at 'O
.
在这种简单情况下,不使用准备好的语句将仅"导致应用程序中的异常.但是如果有人使用类似
In this simple case, not using a prepared statement will "only" lead to an exception in your app. But if someone uses a name like
' or 1 = 1 or name <> '
查询将变为
select * from foo where name = '' or 1 = 1 or name <> ''
,查询将因此加载表的每一行.这就是SQL注入的全部内容.
and the query will thus load every single row of the table. That's what SQL injection is all about.
这篇关于JDBC驱动程序转义准备好的语句的参数吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!