PreparedStatement如何避免或阻止SQL注入？ [英] How does a PreparedStatement avoid or prevent SQL injection?

问题描述

我知道PreparedStatements可以避免/阻止SQL注入。它是如何做到的？使用PreparedStatements构造的最终表单查询是否为字符串或其他？

解决方案

SQL注入的问题是，用户输入用作SQL语句的一部分。通过使用预准备语句，您可以强制将用户输入作为参数的内容进行处理（而不是作为SQL命令的一部分）。

但是如果你不喜欢不要将用户输入用作准备语句的参数，而是通过将字符串连接在一起构建SQL命令，即使使用预准备语句，仍然容易受到SQL注入的攻击。<​​/ p>

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?

解决方案

The problem with SQL injection is, that a user input is used as part of the SQL statement. By using prepared statements you can force the user input to be handled as the content of a parameter (and not as a part of the SQL command).

But if you don't use the user input as a parameter for your prepared statement but instead build your SQL command by joining strings together, you are still vulnerable to SQL injections even when using prepared statements.

这篇关于PreparedStatement如何避免或阻止SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！