防止Java程序中的SQL注入攻击 [英] Prevent SQL injection attacks in a Java program
问题描述
我必须在我的java程序中添加一个语句来更新数据库表:
I have to add a statement to my java program to update a database table:
String insert =
"INSERT INTO customer(name,address,email) VALUES('" + name + "','" + addre + "','" + email + "');";
我听说这可以通过SQL注入来利用,如:
I heard that this can be exploited through an SQL injection like:
DROP TABLE customer;
我的程序有一个Java GUI,所有的名称,地址和电子邮件值都是从<$ c $中检索的C> JTextField的。我想知道黑客如何将以下代码( DROP TABLE customer;
)添加到我的插入语句中,以及如何防止这种情况。
My program has a Java GUI and all name, address and email values are retrieved from Jtextfields
. I want to know how the following code (DROP TABLE customer;
) could be added to my insert statement by a hacker and how I can prevent this.
推荐答案
你需要使用的PreparedStatement 。
例如
You need to use PreparedStatement. e.g.
String insert = "INSERT INTO customer(name,address,email) VALUES(?, ?, ?);";
PreparedStatement ps = connection.prepareStatement(insert);
ps.setString(1, name);
ps.setString(2, addre);
ps.setString(3, email);
ResultSet rs = ps.executeQuery();
这可以防止注射攻击。
黑客把它放在那里的方式是你插入的字符串是否来自某处的输入 - 例如网页上的输入字段,或应用程序中的表单上的输入字段等。
The way the hacker puts it in there is if the String you are inserting has come from input somewhere - e.g. an input field on a web page, or an input field on a form in an application or similar.
这篇关于防止Java程序中的SQL注入攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!