Spring JDBC是否提供任何针对SQL注入攻击的保护? [英] Does Spring JDBC provide any protection from SQL injection attacks?

问题描述

Spring的 JdbcTemplate 抽象提供了很多功能，但是可以以防止SQL注入攻击的方式使用它吗?

Spring's JdbcTemplate abstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks?

例如，就像您使用 PreparedStatement 所获得的保护一样，正确定义的参数化.

For example, like the kind of protection you would get using PreparedStatement with properly defined parameterization.

推荐答案

当然可以.此示例直接来自Spring 3.0文档(但在2. *中是相同的):

It most certainly does. This example is straight from the Spring 3.0 docs (but is the same in 2.*):

String lastName = this.jdbcTemplate.queryForObject( 
        "select last_name from t_actor where id = ?", 
        String.class, 1212L); 

如您所见，它强烈赞成准备好的语句(必须在后台使用该语句):您可以使用占位符(?)指定参数并提供对象数组填写参数. (最后一个参数是预期结果的类型，但这与该问题不太相关.)

As you can see, it strongly favors prepared statements (which it must be using behind the scenes for you): you specify the parameters with placeholders (?) and supply an array of objects to fill into the parameters. (The last parameter is the type of the expected result, but that's not very relevant for this question.)

您还可以使用NamedParameterJdbcTemplate并在Map中提供参数，这可能效率较低，但肯定会更易记.

You can also use a NamedParameterJdbcTemplate and supply the parameters in a Map, which is perhaps less efficient but definitely more mnemonic.

这篇关于Spring JDBC是否提供任何针对SQL注入攻击的保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！