preparedStatement是否避免SQL注入？ [英] Does the preparedStatement avoid SQL injection?

问题描述

我已阅读并尝试将易受攻击的SQL查询注入我的应用程序。这不够安全。我只是使用Statement Connection进行数据库验证和其他插入操作。

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations.

preparedStatements是否安全？而且这句话也会有任何问题吗？

Is the preparedStatements safe? and moreover will there be any problem with this statement too?

推荐答案

使用字符串连接从任意输入构造查询将不会 PreparedStatement safe。看一下这个例子：

Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example:

preparedStatement = "SELECT * FROM users WHERE name = '" + userName + "';";

如果有人提出

' or '1'='1

as userName ，您的 PreparedStatement 将容易受到SQL注入攻击，因为该查询将在数据库上执行为

as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed on database as

SELECT * FROM users WHERE name = '' OR '1'='1';

所以，如果你使用

preparedStatement = "SELECT * FROM users WHERE name = ?";
preparedStatement.setString(1, userName);

您将是安全的。

一些此代码取自此维基百科文章。

这篇关于preparedStatement是否避免SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！