如何为SQL查询转义字符串(没有预处理语句) [英] How to escape string for SQL query (without prepared statement)
问题描述
我知道准备好的陈述的力量,但我不能在这里使用它。我通过HTTP而不是通过JDBC将sql查询发送到外部服务器。
如何为SQL查询转义字符串?有办法通过JDBC做到这一点吗?或者我应该使用自定义类/函数?
I know the power of prepared statement, but I can't use it here. I send sql queries to external server via HTTP, not via JDBC. How to escape string for SQL query? There is way to do this via JDBC? or I should use custom class/function for this?
p.s。我也连接到其他DB,所以我可以使用JDBC函数。
p.s. Also I have connection to other DB, so I can use JDBC functions.
推荐答案
这听起来很不安全。如果您通过HTTP发送SQL语句,那么您可能会受到中间人攻击(以及其他攻击)的攻击。除此之外,如果他们看到你正在发送SQL语句,那么任何普通的程序员都可能会尝试对你的数据库执行恶意SQL。他们可以创建用户,更改密码,检索敏感数据......您确定这是处理事情的最佳方式吗?
This sounds very insecure. If you're sending SQL statements over the HTTP, then you could get compromised by man-in-the-middle attacks (among others). Apart from this, any average leveled programmer could attempt to execute malicious SQL against your database, if they see you're sending SQL statements around. They could create users, change passwords, retrieve sensitive data... Are you sure this is the best way to approach things?
这篇关于如何为SQL查询转义字符串(没有预处理语句)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
