How to prevent SQL injection attacks

How to prevent SQL injection attacks

​ SQL injection attacks are one of the commonly used methods for hackers to attack databases. With the development of B/S model application development, the application has hidden security risks due to the lack of judgment on the legality of user input data. The user can submit a piece of database query code, and obtain some data he wants to obtain according to the results returned by the program. This is the so-called SQL Injection.

What is a SQL injection attack

​ Below we use examples in actual production to demonstrate what SQL injection attacks are.

Unsafe code writing

​ When we do not pay attention to SQL attacks, SQL is easier to be as follows:

public List<People> orderList (String peopleid){
    
    
    String sql = " select id,name,age from people where people_id = " + peopleid;
    return jdbcTemplate.query(sql,new BeanPropertyRowMapper(People.class));
}

At this time, we splice the parameters passed in from the front end to the back end of the SQL statement directly, and SQL injection attacks are prone to occur at this time.

Attack method

• Query all data beyond the judgment condition

  • Through the previous analysis, because it is SQL splicing, we only need to splice an identity such as: or 1=1 behind it when attacking, and all the information can be queried.

• Query the mysql version number (version())

  • Use union to splice sql

• Query the database name (database())

  • Use union to splice sql

• Query all libraries of the current user of mysql

  • Also use union to splice SQL

  From this we can see that as long as you use splicing SQL, the other party has a hundred ways to attack you and find some key data.

How to prevent sql injection

Code layer

​ The best solution at the code layer to prevent SQL injection attacks is SQL precompilation

public List<People> orderList (String peopleid){
    
    
    String sql = " select id,name,age from people where people_id = ?" ;
    return jdbcTemplate.query(sql,new BeanPropertyRowMapper(People.class));
}

​ The passed parameter 4 or 1 = 1 will be regarded as a people_id, and SQL injection will not occur.

Other methods

• Confirm the type of each data, such as digital, the database must use the int type to store
• The specified data length can prevent SQL injection to a certain extent
• Strictly restrict database permissions, which can minimize the harm of SQL injection
• Avoid directly responding to some sql exception information. After sql exception occurs, customize the exception to respond
• Some database keywords contained in the filter parameters

At last

• If you feel that you are rewarded after reading, I hope to give me a thumbs up. This will be my biggest motivation for updating. Thank you for your support.
• Welcome everyone to pay attention to my official account [java Toka Fox], focus on the basic knowledge of java and computer, and ensure that you will get something after reading it. If you don’t believe me, hit me
• If you have different opinions or suggestions after reading, welcome to comment and share. Thank you for your support and love.