First, what is the sql inject it?
SQL injection is to change the logical structure of the original SQL statement, so that the original intent of the results and the developer of the SQL statement is not the same;
Why sql injection will happen then?
1. The program development process, pay attention to writing specifications on the sql statement and keyword filtering is not preventing the client can get or post sql statement submitted to the server by running a global variable;
2. useless pretreatment parameters is equivalent to the statement submitted form data when parameters are passed spliced into a complete statement and then query the execution of other statements in the course of implementation. Such examples that the statement was originally selete * from user where username = [parameter 1] and password = [parameter 2], but after the splicing of the parameters of the user transmission, execution time is: select * from user where username = '' or 1 = 1 # and password = [parameter 2], after the # is equivalent to a comment, actual implementation is to select * from user where username = '' or 1 = 1, and 1 = 1 is true, true returns true or, Therefore, the data is actually returned the entire table. So the result set is not zero, and therefore a login successful.
How sql injection judge it?
1.PreparedStatement
Using precompiled statement set, which built the ability to handle SQL injection, as long as the traditional method of using it setXXX value.
Use benefits:
(1). Readable and maintainable code.
(2) .PreparedStatement the maximum extent possible to improve performance.
(3) The most important point is greatly improved safety.
principle:
sql injection only prepared to sql statement (compiled) process has damaging effects, and PreparedStatement ready, but the execution phase input string as data processing,
Instead of sql statement parsing, preparation and, therefore, avoid the sql injection problems.
2. Use a regular expression to filter incoming parameters
To introduce the package:
java.util.regex import. *;
Regular Expressions:
private String CHECKSQL = “^(.+)\\sand\\s(.+)|(.+)\\sor(.+)\\s$”;
Determine whether the match:
Pattern.matches(CHECKSQL,targerStr);
The following are specific regular expression:
Detection of SQL meta-characters in regular expressions:
/(\%27)|(\’)|(\-\-)|(\%23)|(#)/ix
Correction detection SQL meta-characters regular expression: / ((\% 3D) | (=)) [^ \ n] * ((\% 27) | (\ ') | (\ - \ -) | (\ % 3B) | (:)) / i
Typical SQL injection attacks regular expression: / \ w * ((\% 27) | (\ ')) ((\% 6F) | o | (\% 4F)) ((\% 72) | r | (\% 52)) / ix
SQL injection detection, UNION keyword query regular expression: / ((\% 27) | (\ ')) union / ix (\% 27) | (\')
Detecting MS SQL Server SQL injection attacks regular expression:
/exec(\s|\+)+(s|x)p\w+/ix
and many more…..
3. String filter
A more common method:
(|| parameters can be added between the needs of your program)
public static boolean sql_inj(String str){
String inj_str = "'|and|exec|insert|select|delete|update|
count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";
String inj_stra[] = split(inj_str,"|");
for (int i=0 ; i < inj_stra.length ; i++ ){
if (str.indexOf(inj_stra[i])>=0){
return true;
}
}
return false;
}
4.jsp call this function checks whether the packet function of an illegal character
Prevent SQL injection from URL:
sql_inj.java Code:
package sql_inj;
import java.net.*;
import java.io. *;
import java.sql.*;
import java.text.*;
import java.lang.String;
public class sql_inj{
public static boolean sql_inj(String str){
String inj_str = "'|and|exec|insert|select|delete|update|
count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";
// something here you can also add your own
String[] inj_stra=inj_str.split("\\|");
for (int i=0 ; i < inj_stra.length ; i++ ){
if (str.indexOf(inj_stra[i])>=0){
return true;
}
}
return false;
}
}
5.JSP page judgment code:
Use javascript unsafe characters shield the client
Application: Check whether it contains' '', '\\', '/'
Parameters: string to check
Return Value: 0: 1: Not
The function name is
function check(a){
return 1;
fibdn = new Array (”‘” ,”\\”,”/”);
i=fibdn.length;
j=a.length;
for (ii = 0; i <i, ii ++)
{For (jj = 0; jj <j; jj ++)
{ temp1=a.charAt(jj);
temp2=fibdn[ii];
if (tem’; p1==temp2)
{ return 0; }
}
}
return 1;
}