Sql injected from shallow and deep
There is a table of students
Now we need to get the final exam scores of students based on student name.
1.public static void getStudent(String name) throws ClassNotFoundException {
2. Connection conn = null;
3. Statement stmt = null;
4. ResultSet rs = null;
5. try {
6. Class.forName(JDBC_DRIVER);
7. conn = DriverManager.getConnection(DB_URL, USER, PASS);
8. stmt = conn.createStatement();
9. rs = stmt.executeQuery("select name,score from student where name =' " + name +"'");
10. while (rs.next()) {
11. System.out.println(rs.getString("name") + ":" + rs.getInt("score"));
12. }
13. } catch (SQLException e) {
14. // ignore
15. } finally {
16. if (rs != null) {
17. try {
18. rs.close();
19. } catch (Exception e) {
20. // ignore
21. }
22. }
23. if (stmt != null) {
24. try {
25. stmt.close();
26. } catch (Exception e) {
27. // ignore
28. }
29. }
30. if (conn != null) {
31. try {
32. conn.close();
33. } catch (SQLException e) {
34. // ignore
35. }
36. }
37. }
38. }1. Please indicate what security risks above this program? And give a specific test.
2. Please re-write applications to address these risks.
User input form, through malicious deception server sql. Rooted in the dynamic mosaic sql;
At this point you can use preparedstatement. ? Placeholder parameters can be simply prevented sql injected.
Note that in a package database error message.
There is a certain secret information is encrypted.
