避免 SQL 注入 [英] Avoiding SQL Injection
问题描述
我想在我的 Web 应用程序中避免 SQL 注入.它基于 Java.
I want to avoid SQL Injections in my Webapp. It's Java based.
PreparedStatement 足够了吗?
Are PreparedStatements enough?
我是否必须过滤掉 ' 和 "?Java 中是否已经有解决方案?
Do i have to filter out the ' and "? Are there already solutions for this in Java?
推荐答案
我对你第二段中的问题的直觉回答是,对于这类问题,考虑单个方面足够"通常是一个坏主意 - 至少如果你这样做到了停止思考所涉及的原则的地步.
My gut response to the question in your second paragraph is that it's usually a bad idea to consider a single aspect "enough" for this sort of issue - at least if you do this to the point that you stop thinking about the principles involved.
使用 PreparedStatements 确实对阻止 SQL 注入大有帮助,就像在任何地方使用 synchronized 来阻止数据竞争一样.在许多个别情况下,它们就完全足够了.但在这两种情况下,它们都不是灵丹妙药——您需要了解使用它们的原因,以及它们在何时何地不足.例如,如果您认为 PreparedStatements 是防止 SQL 注入的魔法包装器,那么当您第一次需要根据用户输入创建动态语句(而不是仅参数化语句)时,您会非常失望.
Using PreparedStatements does go a long way to stopping SQL injection, just like using slapping down synchronized everywhere goes a long way to stopping data races. And in many individual situations they'll be entirely sufficient. But in both cases they're not magic bullets - you need to be aware of the reasons you're using them, and when and where they're insufficient. For example, if you think PreparedStatements are a magic wrapper that prevents SQL injection, you'll be very disappointed the first time you need to create a dynamic statement (as opposed to merely a parameterised one) based on user input.
因此,足够"的东西就是教育.了解威胁如何以及为何起作用;一旦你理解了这一点,你就能够对给定的情况采取适当的行动(有时只是使用 PreparedStatement,但并非总是如此).不过,我不知道关于 SQL 注入的任何特别好的资源(超出了您可以从 Google 获得的资源),因此希望其他答案可以将您指向 One True Tutorial!
Thus the thing that's "enough", is education. Understand how and why the threat works; once you grok that, you'll be able to take the appropriate actions to a given situation (which sometimes is just using a PreparedStatement, but not always). I'm not aware of any particularly good resources on SQL injection though (above and beyond what you can get from Google), so hopefully other answers can point you to the One True Tutorial!
这篇关于避免 SQL 注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
