PreparedStatement如何避免或阻止SQL注入? [英] How does a PreparedStatement avoid or prevent SQL injection?
问题描述
我知道PreparedStatements可以避免/阻止SQL注入。它是如何做到的?使用PreparedStatements构造的最终表单查询是否为字符串或其他?
SQL注入的问题是,用户输入用作SQL语句的一部分。通过使用预准备语句,您可以强制将用户输入作为参数的内容进行处理(而不是作为SQL命令的一部分)。
但是如果你不喜欢不要将用户输入用作准备语句的参数,而是通过将字符串连接在一起构建SQL命令,即使使用预准备语句,仍然容易受到SQL注入的攻击。</ p>
I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?
The problem with SQL injection is, that a user input is used as part of the SQL statement. By using prepared statements you can force the user input to be handled as the content of a parameter (and not as a part of the SQL command).
But if you don't use the user input as a parameter for your prepared statement but instead build your SQL command by joining strings together, you are still vulnerable to SQL injections even when using prepared statements.
这篇关于PreparedStatement如何避免或阻止SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!