3-2 first API and injection attack protection

Others 2019-11-06 23:26:14 views: null

First api to write some of the management of basic data of the user. Is the basic user additions and deletions to change search. Should spring boot can easily write this api

first new maven project


Dependencies

The introduction of dependency. The Boot with the latest the Spring




https://docs.spring.io/spring-boot/docs/2.2.0.RELEASE/reference/html/

https://docs.spring.io/spring-boot/docs/2.2.0 .RELEASE / reference / html / using-
spring-boot.html # using-boot-dependency-management search keyword maven. Found here

Copy this

copy into the project in pom.xml. With this dependency. After the introduction of various dependencies when he did not have to write the version number. Because dependencyManagement for us to have the provisions of the version number as well.

<dependencyManagement>
    <dependencies>
        <dependency>
            <!-- Import dependency management from Spring Boot -->
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-dependencies</artifactId>
            <version>2.2.0.RELEASE</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

We want to write a web project to provide an http service. Enter the starter-web to search

Why eclipse can show effective pom

https://zhidao.baidu.com/question/401757501.html
m4eclipse plug-in implementation.
Maven pom.xml file for the complete / Actual / entry into force (effective) of
https://blog.csdn.net/iteye_15147/article/details/82567934

Continue Code

This copy down the search to

be copied to, dependencies inside the label

and remove the version number

Start a web project


Create a package



to create a startup class

New user package



Added user class

user category there are two properties id and name


and then search for lombok bag, searching here about the

copy to the project, and then remove the version number

@Data notes equivalent to adding these annotations. Automatic (persistent class) properties of the class for the method of generating getter pojo, setter method, constructor full parameter, the ToString method of covering the inside of the Object, and the sub-high HashCode method Equals

userController




First do not write business logic, first of all the method declarations
method of CRUD

search a group of users method

Learn attacks

2017 top10 attack

the first is injection attacks. The most common is sql injection.

Examples demonstrate sql injection attacks

The introduction of jdbc

sql injection would certainly need to do jdbc operations. Found some jdbc library.




Configuration database related parameters




now use the default drive is MySql8 of. So driving below the name used here to take note of. This is called the cj.jdbc.Driver name of the new class of MySql8 drive the

drive search mysql also add

the final reserved

Build a database table

On table field



plus a few test data

Within the controller database query

Query user table, the first injection of jdbcTemplate



run the test program

at http tool to request

name is not written finding out what



all users so put all queries to the system. This is the sql injection tool

program breakpoints plus track. or 1 = 1 is always the conditions are met.


Check input parameters to do the first input, write a regular expression to determine the parameters. Another is access control user database.
root user can do anything. Should one of the other user does not have permission to all databases.

With some of the more advanced library database operations such as JPA, Mybatis. Why not Mybaits are also at risk because it is injected into the sql. When used still have some points to note.
JPA virtually no risk.

Use Spring JPA

Dependency is introduced

within the configuration file with jpa related configuration
, if the increase in this property User object inside, will be automatically added to the database fields. If other new objects, the database will automatically be more out of a table. It will remain objects and database synchronization. Development time very convenient. But the general production when not to use it.

In the log you can see sql JPA eventual implementation of


the User class plus Entity annotation, so this pojo classes on database tables and made binding.

Plus a id tell jpa. This book id attribute primary key.

Write an interface. UserRepository. It is the object of data manipulation. We used to operate the User object. Operation User object is the operation of our User table.

Inherit this interface, used to do some dynamic queries

to create a basic CRUD interface. Long indicates the type of the primary key

Continue Controller Code

Injection Repository


This way, we declare him directly within the interface


Run the test



Implementation of the results empty


function achieved while preventing sql injection attack to steal data in our database

sql statement inside the log output

End



 

Guess you like

Origin www.cnblogs.com/wangjunwei/p/11809280.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com