使用preparedStatement是否意味着将不会进行任何SQL注入? [英] Does using preparedStatement mean there will not be any SQL Injection?

问题描述

我已阅读到要防止SQL注入，必须使用PreparedStatement.
这是否意味着如果我使用的是perparedStatement，那么任何人都无法在我的任何页面中执行SQL注入吗?它对SQL注入是否万无一失?如果没有，请举一些例子来证明这一点.

I have read that to prevent SQL Injection one must use PreparedStatement.
Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my page? Is it foolproof against SQL Injection? If not then please give some example to demonstrate this.

推荐答案

只要您实际上使用的是预准备语句的参数替换功能(可能会误用它们而不使用该功能)，并且前提是您没有并不是您正在使用的预准备语句库中的错误，那么您应该可以避免使用原始SQL注入.不过，这并不意味着您不应该怀疑用户给您的任何内容. :-)

As long as you're actually using the parameter substitution feature of the prepared statement (it's possible to misuse them and not use that feature), and provided there isn't a bug in the prepared statement library you're using, then you should be fine against raw SQL injection. That doesn't mean you shouldn't treat whatever the user gives you with suspicion, though. :-)

这篇关于使用preparedStatement是否意味着将不会进行任何SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！