在没有预准备语句的情况下防止SQL注入（JDBC） [英] Preventing SQL injection without prepared statements (JDBC)

问题描述

我有一个数据库日志追加器，每隔一段时间就会将可变数量的日志行插入数据库。

I have a database log appender that inserts a variable number of log lines into the database every once in a while.

我想创建一个SQL语句以某种方式阻止SQL注入，但不使用服务器端预处理语句（因为我在每个选择中都有可变数量的行，缓存它们不会有帮助但可能会损害性能）。

I'd like to create an SQL statement in a way that prevents SQL injection, but not using server-side prepared statements (because I have a variable number of rows in every select, caching them won't help but might hurt performance here).

我也喜欢准备好的语句的便利性，并且更喜欢它们串联连接。有没有像'客户端准备好的声明'？

I also like the convenience of prepared statments, and prefer them to string concatination. Is there something like a 'client side prepared statement' ?

推荐答案

听起来你没有对最简单的解决方案进行基准测试 - 准备好了声明。你说他们可能会损害性能，但在你测试之前，你真的不会知道。

It sounds like you haven't benchmarked the simplest solution - prepared statements. You say that they "might hurt performance" but until you've tested it, you really won't know.

我会绝对测试先准备好的陈述。即使他们做稍微妨碍了性能，在你测试它们之前，你不会知道你是否仍然能达到你所需的性能。

I would definitely test prepared statements first. Even if they do hamper performance slightly, until you've tested them you won't know whether you can still achieve the performance you require.

当你没有尝试过最明显的解决方案时，为什么要花时间寻找替代解决方案呢？

Why spend time trying to find alternative solutions when you haven't tried the most obvious one?

如果你发现准备好的语句执行计划缓存是代价高昂，您可能会发现有特定于数据库的方法可以调整或禁用它。

If you find that prepared statement execution plan caching is costly, you may well find there are DB-specific ways of tuning or disabling it.

这篇关于在没有预准备语句的情况下防止SQL注入（JDBC）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！