PreparedStatement 是否避免了 SQL 注入? [英] Does the preparedStatement avoid SQL injection?

问题描述

我已阅读并尝试将易受攻击的 sql 查询注入到我的应用程序中.这还不够安全.我只是将 Statement Connection 用于数据库验证和其他插入操作.

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations.

preparedStatements 安全吗?而且这个说法也会有问题吗?

Is the preparedStatements safe? and moreover will there be any problem with this statement too?

推荐答案

使用字符串连接从任意输入构建查询不会使 PreparedStatement 安全.看看这个例子:

Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example:

preparedStatement = "SELECT * FROM users WHERE name = '" + userName + "';";

如果有人放

' or '1'='1

作为 userName，你的 PreparedStatement 将容易受到 SQL 注入，因为该查询将在数据库上执行

as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed on database as

SELECT * FROM users WHERE name = '' OR '1'='1';

所以，如果你使用

preparedStatement = "SELECT * FROM users WHERE name = ?";
preparedStatement.setString(1, userName);

你会安全的.

部分代码取自这篇维基百科文章.

这篇关于PreparedStatement 是否避免了 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！