Day 3
July 7, 2019.
This is my third day learning database.
On this day, I learned the following knowledge.
SQL Injection
About
the so-called SQL injection, is inserted through the SQL command into the Web form is submitted the query string or enter a domain name or page request, and ultimately to deceive the server to execute malicious SQL commands. Specifically, it is the use of existing applications, the (malicious) SQL command injection into the back-end database engine capacity of execution, it can enter the (malicious) SQL statements in a Web form to get on the site of a security vulnerability database, rather than to execute SQL statements in accordance with the designer intent. For example, many video sites previously leaked VIP member password is mostly through the WEB form to submit queries character storms out, these forms are particularly vulnerable to SQL injection attacks.
Principles of
SQL injection attacks means that Web applications pass parameters, and these inputs are mostly in some combination of SQL syntax, by executing SQL statements and then perform operations attackers want, mainly because the program does not by building a special input granular filtering data input by the user, so that illegal data intrusion.
According to the principles of the related art, SQL injection injection layer can be divided into the platform, and code injection layer. The former is configured by the unsecured database or database platform vulnerability due; the latter is mainly due to the programmer to input careful not filtered, thus performed an illegal data query. Based on this, the cause of SQL injection is usually manifested in the following aspects: ① improper type of treatment; ② unsafe database configuration; ③ unreasonable inquiry set processing; ④ improper error handling; ⑤ escape character processing is inappropriate; ⑥ multiple submissions handled properly.
Attack
When an application uses input to construct dynamic content sql statement to access the database, sql injection attacks occur. If the code using stored procedures, which are stored as a string containing unfiltered processes user input to pass, sql injection will occur. sql injection could allow an attacker to execute commands using the application landed in the database. Related to SQL injection can be performed by testing tools pangolin. If the application uses the high privilege account to connect to the database, this problem will become very severe. In certain forms, the user input is directly used to construct dynamic sql command or stored as an input parameter of the procedure, these forms are particularly vulnerable to sql injection attacks. Many sites in the preparation of the program, there is no legitimacy to judge or user input variables in a program itself handled properly, the application security risk. Thus, the user can commit code query the database, the program returns the result of, or obtain sensitive information to control the entire server, then sql injection occurs.
JDBC applications on SQL Injection
We found that, follow the appropriate method in accordance with the relevant code JDBC, regardless of the password is correct, we have suggested that the successful landing, which is obviously unreasonable. What's the problem?
After the string concatenation SQL statement is:
select * from users where username = 'abc' or 1 = 1 and password = '"+password+"';
Can be seen, or to run when the condition is already set up, so no matter whether the back of the right, without authentication password to log in successfully.
The above problem is to add SQL statements by special characters, constitute key, change the running track, which operate on the data.
So how to prevent this problem? We need to use a PreparedStatement object described next.
PreparedStatement objects
Advantage
PreperedStatement is a subclass of Statement, which is an instance of an object can () method obtained by calling Connection.preparedStatement, relative to the Statement object, PreperedStatement avoid SQL injection issues
Statement will frequently compiled SQL database, the database may cause a buffer overflow. PreparedStatement for SQL can be precompiled to improve the efficiency of the database. And PreperedStatement for sql parameters, allows replacement form placeholders, simplify the writing sql statement.
Examples of the use of PreparedStatement object as follows:
import java.sql.*;
import java.util.Scanner;
//防止SQL注入
public class Demo03 {
public static void main(String[] args) {
Scanner scanner = new Scanner(System.in);
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
//1.获取数据库连接
connection = JDBCUtils.getConnection();
//prepareStatement解决sql注入问题
//select * from users where id = 1
//System.out.print("请输入你要查询的用户名:");
//String username = scanner.nextLine();
/*
preparedStatement【推荐使用】 和 Statement;
相同点 : 都是用来执行sql语句的
不同点 :
Statement 不安全 , 不能预编译SQL , 不能使用占位符 , 容易造成SQL语句拼接错误
preparedStatement 安全 , 预编译SQL语句 , 可以使用 ? 占位符 ,SQL更清晰。
如何给preparedStatement的占位符赋值
preparedStatement.setXXX [xxx:对应占位符数据的类型] (?索引[从1开始] , 传入的值)
Statement 先写SQL语句再执行; Statement.execute(SQL)
preparedStatement 直接编译SQL , 调用方法执行 ; preparedStatement.execute();
*/
preparedStatement = connection.prepareStatement("select * from users where id = ? and name = ?");
preparedStatement.setInt(1,4);
preparedStatement.setString(2,"qinjiang");
//preparedStatement.setString(1,username);
resultSet = preparedStatement.executeQuery();
while (resultSet.next()){
System.out.println(resultSet.getString("name"));
System.out.println(resultSet.getString("password"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
//5.释放资源
JDBCUtils.closeAll(resultSet,preparedStatement,connection);
}
}
}